Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FTP

I am trying to NAT my FTP to the outside.  I can't get to that IP.  Am I missing something?  I have FTP allowed in access rules.

For NAT

static NAT

inside  - to the internal IP

Outside - external IP

I can ping the server from firewall internally.  What else can I do to test?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: FTP

I don't think the problem is with the inspect. The FTP FEAT command is entered succesfully but the responses a

re not. You can check the show service-policy and check if the inspect ftp has drops:

ASA-1# sh service-policy

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: ftp, packet 672, drop 0, reset-drop 0

27 REPLIES

Re: FTP

are you trying a static NAT for your FTP server?

For example:

FTP 192.168.1.10

NATed IP 66.12.66.10

stat (inside,outside) 66.12.66.10 192.168.1.10

Is that what you are trying?

New Member

Re: FTP

yes, do I have all the info correct?

Re: FTP

if you have a similar static NAT it seems correct. Are there any ACLs on the inside interface that could prevent the traffic from going out. Is the NATed IP on your range of outside IPs?

If you can send the config it would be great.

New Member

Re: FTP

sent via private message....

Re: FTP

thanks for the config. If you are trying to allow FTP traffic from the outside to the inside it won't work since you are denying the traffic in the first two lines of your access-l outside_access_in.

Is this the test that you are trying? FTP to the SGA_Website_NAT address coming from the outside?

New Member

Re: FTP

Hey Paul,

The Deny is on purpose unti l can get it to work I have it on deny.  Yes the NAT is SGA_Website_NAT.  It is called website becasue we got rid of that and I changed the nat for our FTP server now.  I can get to the website internally, but not externally, when I try the NAT ip address on the outside...

Re: FTP

do you see hitcounts on the ACL after the testing? If there are not hitcounts that means that the traffic is not getting to your ASA.

New Member

Re: FTP

It is weird becasue I do see hit counts, but can't get to address.

Re: FTP

Your FTP server has a default gateway? It should be your ASA 10.1.101.1. Make sure the FTP service is up.

New Member

Re: FTP

I can get to the FTP Internally, I can ping the FTP from the ASA.  I can't get the external IP to hit the internal via the internet.  This one is bugging me.  I run a packet trace from the External IP to the ASA and the packet succeeds.  The Gateway of the FTP is the ASA IP.  The services are running because I can get the FTP site in the DMZ zone.  Any othe ideas?

Re: FTP

do you have any other filtering device such as an IPS?

We could set some captures on the ASA inside interface to see if the packet returns to the ASA and how it returns.

New Member

Re: FTP

I am getting a failure when packet tracing from ASA to the FTP server on inside interface.  Do I need to allow this internally...  Any Less secure networks are allowed IP...

Re: FTP

if the traffic is coming from outside to inside you just need the ACLs on the outside. Also make sure you have the inspect ftp on your policy map

New Member

Re: FTP

Inspect FTP on Policy Map?

Re: FTP

yes, for example:

policy-map global_policy

class inspection_default

  inspect ftp

!

service-policy global_policy global

New Member

Re: FTP

The inspect ftp command is not working, can i just add it through the GUI interface?

Re: FTP

what do you mean is not working? Is not configured?

If it is not configured then you can add it by CLI or GUI under the global policy.

New Member

Re: FTP

Reply: 220 Microsoft FTP Service

Command: CLNT http://ftptest.net on behalf of 63.61..x.x

Reply: 500 'CLNT http://ftptest.net on behalf of 63.61.x.x: command not understood

Command: USER anonymous

Reply: 331  access allowed, send identity (e-mail name) as password.

Command: PASS **********************

Reply: 230  user logged in.

Command: SYST

Reply: 215 Windows_NT

Command: FEAT

Reply: 211-FEAT

Reply: SIZE

Error: FEAT response lines must begin with a single space character

Error when typing in command for FTP....

the first two lines work but the last one, "inspect FTP"  does not work...

Re: FTP

I don't think the problem is with the inspect. The FTP FEAT command is entered succesfully but the responses a

re not. You can check the show service-policy and check if the inspect ftp has drops:

ASA-1# sh service-policy

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: ftp, packet 672, drop 0, reset-drop 0

New Member

Re: FTP

I can get to where I go to the external address and I get a login box.  However, when I type in the password it times out now.  Looking at the log on the FTP server, the account is logging in.

New Member

Re: FTP

No IPS

New Member

Re: FTP

I am checking to see if the Router is open to FTP... I will post back back in a few.

New Member

Re: FTP

New Member

Re: FTP

FTP test I get this error????

Error: FEAT response lines must begin with a single space character

New Member

Re: FTP

Can you try using Windows Explorer instead of Filezilla?  ex. ftp://{IP Address of outside interface}

Also check out the following

http://forum.filezilla-project.org/viewtopic.php?f=1&t=16565

New Member

Re: FTP

I can get HTTP to work from same server.  There must be something blocking the FTP.  Do I need to open more ports for the FTP?  The packet trace is not helping.  I am going to try and use the packet capture to see if that helps.

Cisco Employee

Re: FTP

Excellent Idea,

How far do you get when you try to FTP to your server? If you get the login prompt and the password just timeouts, we may need 2 things in order to sort this out....

Logs from the connection

Packet capture

Show service policy

If you can get the login prompt but the password timeouts, I dont think it is a problem with the inspection, since the inspection takes place only when there is a file transfer about to begin.

Please feel free to gather that information, if you like you can send it as a Private message to Paul and Me, I think he would like to check those packet captures too as much as I do.

Cheers.....

Mike

Mike
1979
Views
0
Helpful
27
Replies