Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
566
Views
0
Helpful
3
Replies

FTP through an ASA5540

mulhollandm
Level 1
Level 1

‎11-21-2009 02:36 AM - edited ‎03-11-2019 09:41 AM

folks

i have an asa running v8 IOS and i'm trying to allow ftp through it but its not that straightforward

the internal client makes an outbound ftp session to an external ftp server

when the ftp credentials are authorised the external server responds by making inbound connection from source port 20 to a range of tcp ports between 8000 - 8500 

i allow an ftp session from an inside client to an external server

- rule allows source to destination for FTP

- source is nat'd to a public IP

- packet captures on the asa show the traffic going in/out the relevant interfaces

- i have an inbound rule allowing TCP 8000 - 8500 from the external server to the public nat

- FTP inspection is enabled on the default policy (strict inspection isn't enabled)

the outbound rule shows hits but the return traffic from the external server on source port 20/destination port 8000 - 8500 is getting denied

do i need to add the ports tcp 8000 - 8500 to the global inspection for a service group, i.e. destion ports TCP-8000/8500

thanks to anyone taking the time to look at this or reply

Labels:
0 Helpful
3 Replies 3

Kureli Sankar
Cisco Employee
Cisco Employee

‎11-21-2009 05:24 AM

You don't even need this

- i have an inbound rule allowing TCP 8000 - 8500 from the external server to the public nat

ftp inspection should automatically allow the data to come back in.

Now, are you sure the control channel goes on port 21? and that does hit the inspection?

sh service-pol flow tcp host x.x.x.x host y.y.y.y eq 21

where x.x.x.x is the inside client

y.y.y.y is the ftp server on the outside

should show you whether this flow is being inspected or not.

Besides that we would have to look at the captures and syslogs at the time of the problem.

Pls. check what the logs show.

0 Helpful

mulhollandm
Level 1
Level 1
In response to Kureli Sankar

‎11-21-2009 01:31 PM

kusankar

many thanks for your reply

i've been drafted in to fix this issue and wasn't involved in its setup but based on a packet capture i can see the client sending a request AUTH TLS so i suspect what i'm dealing with is FTPS

hoave you have any dealings with passing FTPS through an ASA?

thanks

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to mulhollandm

‎11-21-2009 08:37 PM

If this is secure ftp then, inspection will not be able to look in the encrypted packet and allow the data connection automatically.  The only work around is to allow the ports via ACL (for data) which you mentioned you have already allowed.

Besides that like I previously metioned syslogs and captures are our friend.

See if you see acl hit counts on the acl applied inbound on the outside interface from the ftp server back to the translated address of the client.


0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card