08-13-2010 04:46 AM - edited 03-11-2019 11:25 AM
Hi Guys,
I'm trying for the last 3 days to get FTP work in my DMZ. In fact the FTPserver itself works, because i can FTP from the inside to the DMZ. But from the Outside to the DMZ i don't get it working.
The situation:
See the network diagram for details.
2x ASA5505 in Active/Standby
5 interfaces: Inside, Outside, Backup and DMZ, Managment
ISP A is tracked, if it goes down automaticly switchover to ISP B.
Two different public IP addresses: ISP A = 1.1.1.x / 29 ISP B = 2.2.2.x / 29. So with each ISP we have about 5 or 6 public IP addresses.
DMZ = 192.168.253.0 /24 DMZ interface = 192.168.253.1 FTT = 192.168.253.2
The problem:
The FTP server in the DMZ is not accessible from the internet. ASDM's Packet Tracer keeps dropping at the NAT rule.
From the DMZ to the outside everything is passing, according to Packet Tracer. Also from the Inside to the DMZ i can ftp.
Another question:
We have two different public IP ranges. Our customers reach the ftp by DNS name: ftp.company.com
How can i achive that the FTPserver is still accessible when our primary ISP fails, and the routing occurs via ISP B (= other public ip range). Something with DNS?
Below is the (sanetized) config (sensitive info is deleted):
ASA Version 7.2(4) ! hostname PK1-FW1 domain-name default.domain.invalid enable password 7eiKHCMaZZwOv/Ls encrypted passwd 2KFQnbNIdI.2KYOU encrypted names dns-guard ! interface Vlan1 description Connected to internal LAN nameif inside security-level 100 ip address 192.168.254.2 255.255.255.0 standby 192.168.254.3 ! interface Vlan2 description Connected to primary ISP nameif outside security-level 0 ip address 1.1.1.2 255.255.255.252 ! interface Vlan3 description Connected to backup ISP nameif backup security-level 0 ip address 2.2.2.2 255.255.255.248 ! interface Vlan4 description For management purposes only! nameif Management security-level 100 ip address 192.168.4.5 255.255.255.0 standby 192.168.4.6 management-only ! interface Vlan253 nameif DMZ security-level 50 ip address 192.168.253.1 255.255.255.0 ! interface Vlan255 description LAN Failover Interface ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 switchport access vlan 3 ! interface Ethernet0/2 ! interface Ethernet0/3 switchport access vlan 253 ! interface Ethernet0/4 switchport access vlan 4 ! interface Ethernet0/5 switchport access vlan 255 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns domain-lookup outside dns server-group DefaultDNS domain-name default.domain.invalid object-group network Department_Vlans description Vlans per department object-group network Allowed_FTP description Clients/Departments allowed to use FTP object-group service Allowed_Protocols tcp description group of allowed protocols object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service DM_INLINE_TCP_1 tcp group-object Allowed_Protocols object-group service DM_INLINE_TCP_2 tcp port-object eq ftp port-object eq ftp-data object-group service Allow_SVN tcp-udp port-object eq 888 object-group service TCP_Allow_Filesharing_Inside-DMZ tcp port-object eq 135 port-object eq 445 port-object eq netbios-ssn object-group service UDP_Allow_Filesharing_Inside-DMZ udp port-object eq netbios-ns object-group service DM_INLINE_TCP_3 tcp port-object eq ftp port-object eq ftp-data object-group service Allow_FileSharing_FTP01 tcp-udp port-object eq 135 port-object eq 137 port-object eq 139 port-object eq 445 object-group service Allowed_FTP01_Protocols tcp port-object eq ftp port-object eq ftp-data port-object eq www port-object eq https port-object eq domain object-group service Allow_FTP tcp port-object eq ftp port-object eq ftp-data object-group network DM_INLINE_NETWORK_1 network-object Servers 255.255.255.0 network-object ICT 255.255.255.0 access-list backup_access_in extended permit icmp any any echo-reply access-list backup_access_in extended permit object-group TCPUDP any interface backup object-group Allow_SVN access-list outside_access_in extended permit icmp any any echo-reply access-list outside_access_in extended permit object-group TCPUDP any interface outside object-group Allow_SVN access-list outside_access_in extended permit tcp any host FTP01 object-group DM_INLINE_TCP_3 access-list inside_access_in extended permit object-group TCPUDP any any eq domain access-list inside_access_in extended deny ip Productie-No-Internet 255.255.255.0 any access-list inside_access_in extended permit ip object-group Migration_group any access-list inside_access_in extended permit tcp Servers 255.255.255.0 any eq smtp access-list inside_access_in extended deny tcp Servers 255.255.255.0 any eq smtp access-list inside_access_in extended permit ip Servers 255.255.255.0 any access-list inside_access_in extended permit tcp object-group Department_Vlans any object-group Allowed_Protocols access-list inside_access_in extended permit tcp object-group Allowed_FTP any object-group DM_INLINE_TCP_2 access-list inside_access_in extended permit tcp any any object-group bittorrent access-list 110 extended permit ip Default_Vlan 255.255.0.0 192.168.253.0 255.255.255.0 access-list DMZ_access_in extended permit ip any any access-list DMZ_access_in extended permit icmp any any echo access-list DMZ_access_in extended permit tcp any any object-group Allowed_FTP01_Protocols access-list DMZ_access_in extended permit object-group TCPUDP host FTP01 object-group DM_INLINE_NETWORK_1 object-group Allow_FileSharing_FTP01 access-list OUTSIDE_IN extended permit tcp any host FTP01 object-group Allow_FTP access-list OUTSIDE_IN extended permit icmp any any echo-reply access-list OUTSIDE_IN extended permit object-group TCPUDP any interface outside object-group Allow_SVN pager lines 24 logging enable logging list test level notifications logging buffered warnings logging asdm warnings mtu inside 1500 mtu outside 1500 mtu backup 1500 mtu Management 1500 mtu DMZ 1500 ip verify reverse-path interface inside ip verify reverse-path interface Management ip audit name Attack attack action alarm ip audit name Info info action alarm ip audit interface inside Info ip audit interface inside Attack ip audit interface outside Info ip audit interface outside Attack ip audit interface backup Info ip audit interface backup Attack ip audit interface DMZ Info ip audit interface DMZ Attack failover failover lan unit secondary failover lan interface failover Vlan255 failover polltime unit 1 holdtime 3 failover polltime interface 1 holdtime 5 failover interface ip failover 192.168.255.1 255.255.255.252 standby 192.168.255.2 monitor-interface inside monitor-interface outside monitor-interface backup monitor-interface Management monitor-interface DMZ icmp unreachable rate-limit 10 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface global (backup) 1 interface nat (inside) 0 access-list 110 nat (inside) 1 Default_Vlan 255.255.0.0 dns nat (DMZ) 1 192.168.253.0 255.255.255.0 static (inside,outside) tcp interface 888 192.168.0.194 888 netmask 255.255.255.255 dns static (inside,backup) tcp interface 888 192.168.0.194 888 netmask 255.255.255.255 dns static (inside,backup) udp interface 888 192.168.0.194 888 netmask 255.255.255.255 dns static (inside,outside) udp interface 888 192.168.0.194 888 netmask 255.255.255.255 dns static (DMZ,outside) tcp interface ftp FTP01 ftp netmask 255.255.255.255 dns static (DMZ,outside) tcp interface ftp-data FTP01 ftp-data netmask 255.255.255.255 dns access-group inside_access_in in interface inside access-group OUTSIDE_IN in interface outside access-group backup_access_in in interface backup access-group DMZ_access_in in interface DMZ route outside 0.0.0.0 0.0.0.0 213.125.16.81 1 track 1 route backup 0.0.0.0 0.0.0.0 188.201.212.129 254 ! router rip network 192.168.254.0 passive-interface outside passive-interface backup passive-interface Management passive-interface DMZ default-information originate version 2 ! timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute http server enable http 192.168.4.0 255.255.255.0 Management http ICT 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart fragment chain 1 inside fragment chain 1 outside fragment chain 1 backup fragment chain 1 Management fragment chain 1 DMZ sla monitor 123 type echo protocol ipIcmpEcho 213.51.160.52 interface outside num-packets 3 frequency 10 sla monitor schedule 123 life forever start-time now service resetoutside crypto ipsec transform-set TRANS_ESP_AES-256_SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set TRANS_ESP_AES-256_SHA mode transport crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_AES-256_SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption aes-256 hash sha group 5 lifetime 86400 ! track 1 rtr 123 reachability telnet timeout 5 ssh ICT 255.255.255.0 inside ssh 192.168.4.0 255.255.255.0 Management ssh timeout 5 ssh version 2 console timeout 0 management-access Management ntp server 193.67.79.202 prefer ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 id-randomization id-mismatch action log policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context Cryptochecksum:0289a7cab68afeb8fde4d99723647e99 : end
Thanks in advance.
Solved! Go to Solution.
08-13-2010 01:25 PM
Hello,
Please try the following:
Assume that the free IP is 1.1.1.3
static (DMZ,outside) 1.1.1.3 FTP01 netmask 255.255.255.255 dns
With regard to your problem of manual failover, the issue is with the ISP's
not allowing traffic sourced from IP that does not belong to their IP range.
They will not be advertising each other's subnets, so when your primary goes
down, the subnet belonging to your primary ISP will be down. Most common
practice is to modify the DNS entry (or add dual DNS entries to the same
server). I would suggest you to work with your DNS people to ensure that
they track the primary IP and when the primary IP is not reachable, they
report the secondary IP.
Hope this helps.
Regards,
NT
08-13-2010 06:29 AM
Hello,
From your configuration, it seems like you have mapped the FTP server to
your interface IP. This configuration is supported as long as the client and
server communicate via Active FTP mode. When the FTP mode is passive, the
client opens the connections. The data port is not fixed to 20. Instead, the
server opens up a port greater than 1023 and sends that information to the
client. If you do not have a translation for that port, the firewall cannot
forward requests coming onto that port on the outside interface to the
inside server. Can you please try the following:
no static (DMZ,outside) tcp interface ftp FTP01 ftp netmask 255.255.255.255
dns
no static (DMZ,outside) tcp interface ftp-data FTP01 ftp-data netmask
255.255.255.255 dns
static (DMZ,outside) ftp FTP01 netmask 255.255.255.255
dns
This should map all the ports of that public IP to the FTP server. With
regard to your second question about secondary ISP and access to the FTP
server, you are right. You need to work with the DNS and make changes to the
DNS.
Hope this helps.
Regards,
NT
08-13-2010 07:29 AM
Hi NT,
Thanks for your answer, but it's not working. As i copy past your command then i get a syntax error. If i replace the command with:
static (DMZ,outside)
then i get: ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
ASA's can be complex........
Regarding the FTP and DNS question:
each time the primary line fails i've to edit our A record on the ISP's DNS server. besides it, mostly it takes one to two days to replicate DNS.
I need a solution that automaticly reroutes the traffic.
We've some spare public ip addresses available from both ISP's. Only the ranges are different. if i could configure tha ASA such way that i map a spare public ip (for example from ISP A 1.1.1.3) to our ftp server, and is reachable independendly what ISP is active at that moment.
08-13-2010 01:25 PM
Hello,
Please try the following:
Assume that the free IP is 1.1.1.3
static (DMZ,outside) 1.1.1.3 FTP01 netmask 255.255.255.255 dns
With regard to your problem of manual failover, the issue is with the ISP's
not allowing traffic sourced from IP that does not belong to their IP range.
They will not be advertising each other's subnets, so when your primary goes
down, the subnet belonging to your primary ISP will be down. Most common
practice is to modify the DNS entry (or add dual DNS entries to the same
server). I would suggest you to work with your DNS people to ensure that
they track the primary IP and when the primary IP is not reachable, they
report the secondary IP.
Hope this helps.
Regards,
NT
08-15-2010 03:30 AM
Hi NT,
Thanks for the reply. i've had tried the command you suggested already before, but it didn't work. But i got an idea.
When you look in the config by vlan 2 (outsite) you see the following:
interface Vlan2
description Connected to primary ISP
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.252
i've specified a /30 subnetmask for peer to peer communication with the modem. When i change the subnetmask into /29 (as we have got 5 public IP's from our ISP) the 1.1.1.3 or 4 or 5 address is recognised as part of the range, though?
maybe then i get resonse when i FTP to new public ip address. I will try it tomorrow when i got to work.
08-16-2010 12:13 AM
Goodmorning NT and others,
this morning i change the outside interfaces' subnetmask from 252 to 248, so that the available public IP addresses are within the range.
After that i gave the command static (DMZ,outside) 1.1.1.3 FTP01 netmask 255.255.255.255 dns
The command is accepted but the FTP server still isn't reachable. When i test with the Packet Tracer, it keeps failing with NAT. Is my ASA config wrong or so?
I've attached a screenshot of Packet Tracer.
I don't know what to do to get it working. Can it be that hard?:P
About the DNS story:
I'm the only network administrator at the company (were're fairly small with 100 desktops) So i guess i have to contact our ISP's to discuss our needs.
PS: I've edited the outside IP's for security reasons;)
08-16-2010 05:18 AM
Hi Roel,
The reason why you are seeing the packet-tracer fail is because you have specified the destination IP address as 192.168.253.2 which is the real IP of the FTP server. Try specifying it as 1.1.1.3 which is the translated IP address of the FTP server on the outside which will also be the IP address the users will try to access from the internet.
With regards to why the users are not able to FTP into the server, are the users using "Active" or "Passive" FTP for the same? Please enable logging on the ASA and get the logs when a user tries to access the FTP server as well. That way we can see if there are any drops by the ASA.
All the best!
Regards,
Prapanch
08-16-2010 05:53 AM
Hi PR,
Thanks for the reply. I've tested your suggestion with Packet Tracer, and indeed the packet comes through!. But i can't reach the ftp server yet.
When i ftp from the inside to DMZ, i see PASV commands passing, so i use passive FTP.
Also i've configured an inspect map for ftp like this:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ftp
service-policy global_policy global
Also in the FTP server i specified the port range for passive ftp: 15000 - 15500.
08-16-2010 06:05 AM
I suggest we do a couple of things here.
1> Enable buffered logging on the ASA and get those logs when trying to access the FTP server.
logging enable
logging buffered debugging
2> When a user tries to access the FTP server, get the set messages that we see on the server with regards to that particular connection.
Also, if possible, we can apply captures on the ASA on both the outside and DMZ interfaces and get those in a .pcap format for detailed analysis.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml
Thanks and Regards,
Prapanch
08-16-2010 06:49 AM
i turned on logging as you said. Regarding connecting users:
When i FTP from inside to DMZ i can see activity at the FTP server's log.
But when i try to connect from outside to DMZ, nothing happens on the ftp server. It seems that the outside connection doesn't come that far.
On the clientside i get an ETIMEDOUT - Connection attempt timed out.
To capture traffic, i have to upgrade my ASA and ASDM software first. I plan it for this evening. In the mean time, i've turned on logging. where can i view my loggings?
I'm quite familiar with Cisco products, but not with ASA's.....
08-16-2010 07:47 AM
Hi,
You should be able to see the logs by giving "show logg". Also, captures should be available on version 7.2(4) which I assume is the one you are running based on the running-config initially attached.
I apologize as i skipped this detail before but i think the problem could be with the access-list on the outside interface of your ASA:
access-list OUTSIDE_IN extended permit tcp any host FTP01 object-group Allow_FTP
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit object-group TCPUDP any interface outside object-group Allow_SVN
We have allowed traffic to the real IP of the server 192.168.253.2. on the 1st line. Try modifying it ot the translated IP of 1.1.1.3 as below. We should be
good to go then:
access-list OUTSIDE_IN extended permit tcp any host 1.1.1.3
All the best!!
Thanks and Regards,
Prapanch
08-16-2010 08:19 AM
Hi PR,
Thanks for the reply. Regarding the last command, also that doesn't turn things...
I've place the rule first in row, but nothing seems to happen.
Also isn't it a huge security risk to allow the full TCP stack on the outside?
About the capure feature in ASDM, i don't see such function in the Tools menu. Also when i click on the menu Wizard, the Startup wizard and High Availablity Wizard doesn't function. i can click on it thousand times but nothing happend. Now i don't need those functions as i've already configured those via the CLI.
But i can't stay forever on 5.2 though...:P
08-16-2010 08:25 AM
Are you seeing hit counts on the access-list using "show access-list OUTSIDE_IN" when trying to connect from the client to the server? I suggest getting the captures in addition to this for analysis.
"Also isn't it a huge security risk to allow the full TCP stack on the outside?"
Yes it is a risk and it is better to restrict it to just the necessary ports. I had given that one just as an example.
Regards,
Prapanch
08-16-2010 10:28 AM
I've upgraded the ASA software and ASDM software. Everything went smooth.
I'll come back tomorrow with capture results.
As for now, the Access list doesn't show any hits... hmm. Are my interfaces wrong configured???
08-16-2010 05:25 PM
Hmmm.. If you aren't seeing hit counts, then the packets may not even be reaching your firewall. Captures sohuld confirm that if that indeed is the case.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide