I have an ASA 5505 code version 9.0(3) and FTPS seems to be working with some but not others. The ones who can transfer files have full ip completely, but the ones who can't are able to authenticate but cannot transfer files. This led me to believe that this was an ACL issue, but then I looked at the logs and I am getting this error for the user that cannot connect:
tcp flow from outside:x.x.x.x/56721 to inside:x.x.x.x/21 terminated by inspection engine, reason - inspector drop reset.
Does anyone know why they would be getting this error?
access-list outside permit tcp any host 18.104.22.168 eq 21 log
access-list outside deny ip any any log
Now when host 22.214.171.124 want to connect to 126.96.36.199 on ftp, the firewall knows that connect is ftp so it will allow inspect ftp to handle the data connection properly.
Now let say if you disable inspect ftp, when the client 188.8.131.52 connect to host 184.108.40.206 via ftp and let say he issues an "passive" to enter passive mode. Without inspect ftp, you would have to to allow:
access-list outside permit tcp any host 220.127.116.11 gt 1024
because passive allows the client to connect to the server on tcp high-ports, nature of FTP. By disabling inspect ftp, this is no longer possible thus breaking ftp connection, unless you implement the ACL above, which I don't think your security department will approve.
The alternative is to use SecureFTP or sFTP which will a perfectly secure protocol. This is 2014, not 1999. FTP and FTPs should be banned.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :