Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FTPS on cisco asa

I have an ASA 5505 code version 9.0(3) and FTPS seems to be working with some but not others. The ones who can transfer files have full ip completely, but the ones who can't are able to authenticate but cannot transfer files. This led me to believe that this was an ACL issue, but then I looked at the logs and I am getting this error for the user that cannot connect:

 

 tcp flow from outside:x.x.x.x/56721 to inside:x.x.x.x/21 terminated by inspection engine, reason - inspector drop reset.

 

Does anyone know why they would be getting this error?

 

Thanks in advance!

4 REPLIES
Hall of Fame Super Silver

The inspection engine is

The inspection engine is looking at the ftp protocol and finding something objectionable in that user's sessions. Exactly what is hard to say without debugging or capturing a live failing session.

You can disable ftp inspection as follows (in global configuration mode of course):

policy-map global_policy
 class inspection_default
 no inspect ftp

That won't tell you what was making it break but it should fix the immediate issue for that user. 

New Member

This is a really bad advice

This is a really bad advice and I will tell you why.

By disabling inspect ftp, you will break a lot of FTP connections.

Hall of Fame Super Silver

It's not universal but I've

It's not universal but I've seen it fix non-working ftp (and non-working smtp and non-working sccp for their respective protocols).

What alternative do you advise the OP pursue to address his issue?

New Member

I will tell you why:Let say

I will tell you why:

Let say when you allow ftp from external to internal, normally your ACL will look like this:

static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255

access-list outside permit tcp any host 1.1.1.1 eq 21 log

access-list outside deny ip any any log

Now when host 2.2.2.2 want to connect to 1.1.1.1 on ftp, the firewall knows that connect is ftp so it will allow inspect ftp to handle the data connection properly.

Now let say if you disable inspect ftp, when the client 2.2.2.2 connect to host 1.1.1.1 via ftp and let say he issues an "passive" to enter passive mode.  Without inspect ftp, you would have to to allow:

access-list outside permit tcp any host 1.1.1.1 gt 1024

because passive allows the client to connect to the server on tcp high-ports, nature of FTP.  By disabling inspect ftp, this is no longer possible thus breaking ftp connection, unless you implement the ACL above, which I don't think your security department will approve.

 

The alternative is to use SecureFTP or sFTP which will a perfectly secure protocol.  This is 2014, not 1999.  FTP and FTPs should be banned.

418
Views
0
Helpful
4
Replies
CreatePlease login to create content