Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1224
Views
0
Helpful
4
Replies

FTPS on cisco asa

Benjamin Saito
Level 1
Level 1

‎06-26-2014 12:37 PM - edited ‎03-11-2019 09:23 PM

I have an ASA 5505 code version 9.0(3) and FTPS seems to be working with some but not others. The ones who can transfer files have full ip completely, but the ones who can't are able to authenticate but cannot transfer files. This led me to believe that this was an ACL issue, but then I looked at the logs and I am getting this error for the user that cannot connect:

 

 tcp flow from outside:x.x.x.x/56721 to inside:x.x.x.x/21 terminated by inspection engine, reason - inspector drop reset.

 

Does anyone know why they would be getting this error?

 

Thanks in advance!

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-26-2014 02:33 PM

The inspection engine is looking at the ftp protocol and finding something objectionable in that user's sessions. Exactly what is hard to say without debugging or capturing a live failing session.

You can disable ftp inspection as follows (in global configuration mode of course):

policy-map global_policy
 class inspection_default
 no inspect ftp

That won't tell you what was making it break but it should fix the immediate issue for that user. 

0 Helpful

cciesec2011
Level 3
Level 3
In response to Marvin Rhoads

‎06-28-2014 02:35 PM

This is a really bad advice and I will tell you why.

By disabling inspect ftp, you will break a lot of FTP connections.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to cciesec2011

‎06-28-2014 04:43 PM

It's not universal but I've seen it fix non-working ftp (and non-working smtp and non-working sccp for their respective protocols).

What alternative do you advise the OP pursue to address his issue?

0 Helpful

cciesec2011
Level 3
Level 3
In response to Marvin Rhoads

‎06-28-2014 07:32 PM

I will tell you why:

Let say when you allow ftp from external to internal, normally your ACL will look like this:

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

access-list outside permit tcp any host 1.1.1.1 eq 21 log

access-list outside deny ip any any log

Now when host 2.2.2.2 want to connect to 1.1.1.1 on ftp, the firewall knows that connect is ftp so it will allow inspect ftp to handle the data connection properly.

Now let say if you disable inspect ftp, when the client 2.2.2.2 connect to host 1.1.1.1 via ftp and let say he issues an "passive" to enter passive mode.  Without inspect ftp, you would have to to allow:

access-list outside permit tcp any host 1.1.1.1 gt 1024

because passive allows the client to connect to the server on tcp high-ports, nature of FTP.  By disabling inspect ftp, this is no longer possible thus breaking ftp connection, unless you implement the ACL above, which I don't think your security department will approve.

 

The alternative is to use SecureFTP or sFTP which will a perfectly secure protocol.  This is 2014, not 1999.  FTP and FTPs should be banned.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card