I have firewall ASA with 8.0(4) version. Everything is working fine but recently we started one proejct which involves upload the files on FTP server located on outside the network over the internet.
Other FTP services are working fine but this FTP server is require port 6521 which i have opeend but still not able to connect. Only if i will open full IP address for a user he can connect and see the file listing on the serers but by opening TCP and UDP port 6521 is not working. I have attached the packet capture which shows the connection is establish on port 6521 but then dynamic port assignment is showing. I have also check with inspect FTP and by disabling it but no luck.
The reason for that is because with "class-map inspection_default". inspection for FTP is done on TCP/21 only. To enable it on a different port like in our case TCP/6521, you will need to create another class-map matching that traffic and then perform inspection.
access-list FTP permit tcp any host 111.121..249.247 eq 6521
access-list FTP permit tcp host 111.121..249.247 eq 6521 any
match access-list FTP
To confirm if packets are being redirected and inspected, you can run a "show service-policy" and see counters incrementing. Let me know if this helps!!
show access-list ftp-list access-list ftp-list; 2 elements access-list ftp-list line 1 extended permit tcp any any eq 6521 (hitcnt=2) 0x4f2ddd4a access-list ftp-list line 2 extended permit tcp any eq 6521 any (hitcnt=0) 0xd15618f4
show access-list ftp-list access-list ftp-list; 2 elements access-list ftp-list line 1 extended permit tcp any any eq 6521 (hitcnt=4) 0x4f2ddd4a access-list ftp-list line 2 extended permit tcp any eq 6521 any (hitcnt=0) 0xd15618f4
Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: dns preset_dns_map, packet 74601620, drop 327772, reset-drop 0 Inspect: h323 h225 _default_h323_map, packet 44466, drop 0, reset-drop 0 Inspect: h323 ras _default_h323_map, packet 44643, drop 44643, reset-drop 0 Inspect: netbios, packet 375597, drop 0, reset-drop 0 Inspect: rsh, packet 44463, drop 0, reset-drop 0 Inspect: rtsp, packet 44486, drop 0, reset-drop 0 Inspect: skinny , packet 44466, drop 0, reset-drop 0 Inspect: esmtp _default_esmtp_map, packet 446745675, drop 13344, reset-drop 0 Inspect: sunrpc, packet 68074, drop 0, reset-drop 0 Inspect: tftp, packet 22322, drop 22322, reset-drop 0 Inspect: sip , packet 66788, drop 0, reset-drop 0 Inspect: xdmcp, packet 22323, drop 22323, reset-drop 0 Inspect: pptp, packet 67131, drop 0, reset-drop 0 Inspect: ftp, packet 169532, drop 0, reset-drop 0
Class-map: ftp-class Inspect: ftp, packet 33, drop 0, reset-drop 2
Default Queueing Set connection policy: drop 0 Set connection decrement-ttl
As i had mentioned before, please get the bidirectional captures in .pcap format on the "inside" interface, that is, traffic from and to the server. To apply and gather captures in a .pcap format, please refer the below document:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...