11-21-2009 02:36 AM - edited 03-11-2019 09:41 AM
folks
i have an asa running v8 IOS and i'm trying to allow ftp through it but its not that straightforward
the internal client makes an outbound ftp session to an external ftp server
when the ftp credentials are authorised the external server responds by making inbound connection from source port 20 to a range of tcp ports between 8000 - 8500
i allow an ftp session from an inside client to an external server
- rule allows source to destination for FTP
- source is nat'd to a public IP
- packet captures on the asa show the traffic going in/out the relevant interfaces
- i have an inbound rule allowing TCP 8000 - 8500 from the external server to the public nat
- FTP inspection is enabled on the default policy (strict inspection isn't enabled)
the outbound rule shows hits but the return traffic from the external server on source port 20/destination port 8000 - 8500 is getting denied
do i need to add the ports tcp 8000 - 8500 to the global inspection for a service group, i.e. destion ports TCP-8000/8500
thanks to anyone taking the time to look at this or reply
11-21-2009 05:24 AM
You don't even need this
- i have an inbound rule allowing TCP 8000 - 8500 from the external server to the public nat
ftp inspection should automatically allow the data to come back in.
Now, are you sure the control channel goes on port 21? and that does hit the inspection?
sh service-pol flow tcp host x.x.x.x host y.y.y.y eq 21
where x.x.x.x is the inside client
y.y.y.y is the ftp server on the outside
should show you whether this flow is being inspected or not.
Besides that we would have to look at the captures and syslogs at the time of the problem.
Pls. check what the logs show.
11-21-2009 01:31 PM
kusankar
many thanks for your reply
i've been drafted in to fix this issue and wasn't involved in its setup but based on a packet capture i can see the client sending a request AUTH TLS so i suspect what i'm dealing with is FTPS
hoave you have any dealings with passing FTPS through an ASA?
thanks
11-21-2009 08:37 PM
If this is secure ftp then, inspection will not be able to look in the encrypted packet and allow the data connection automatically. The only work around is to allow the ports via ACL (for data) which you mentioned you have already allowed.
Besides that like I previously metioned syslogs and captures are our friend.
See if you see acl hit counts on the acl applied inbound on the outside interface from the ftp server back to the translated address of the client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide