Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Passive FTP access through ASA 5520

Hi ,

I am trying to get Passive Mode FTP working through our Firewall and for some reason we can only get Active Mode FTP to work !!!

We can only access the internal Host web1 on active mode ftp sessions !!

I have the followiong rules/policies setup and it is still not working.

ASA Version 8.2(1)

ftp mode passive

access-list inbound_outside extended permit tcp any host web1-xlate eq ftp

access-list inbound_outside extended permit tcp any host web1-xlate eq ftp-data

policy-map global_policy

service-policy global_policy global

inspection default

inspect FTP

Any assistance would be greatly appreciate !!

Thanks Simon

11 REPLIES
Cisco Employee

Re: Passive FTP access through ASA 5520

Hello,

Can you please check from your internal network to see if Passive FTP is

enabled on the server? If that checks out, then please make sure that you

have one-to-one NAT configured for the server IP.

Static (inside,dmz) any

Capture capin access-list cap interface inside

Capture capdmz access-list cap interface dmz

Once you run the test, then collect the output to see if the traffic is

passing through the firewall.

"show capture capin"

"show capture capdmz"

That should give us a fair idea of what is blocking the FTP traffic.

Hope this helps.

Regards,

NT

New Member

Re: Passive FTP access through ASA 5520

Hi NT,

We are running IIS 6.0 on this internal Windows Server. The firewall on the Windows IIS Box is not enabled which should in theory make enabled both Active & Passive FTP connection

There is a static one to one nat between the internal host and the outside with an Public IP address !!

static (inside,outside) web1-xlate web1 netmask 255.255.255.255 tcp 1000 500

Will run captures shortly

SG

New Member

Re: Passive FTP access through ASA 5520

Also NT,

some more info when we try and connect from an external ftp client using Passive FTP,  the connection is established and we can view the directories but when we start the upload it transfers very slow  as the client  cannot initiate the ftp data connection !!!

Cisco Employee

Re: Passive FTP access through ASA 5520

Hello,

If you are able to view the directories using passive FTP, the connection in

general is working fine. If the data transfer rate is very slow, then I

would suggest you start looking at the server (test the speed from behind

the firewall first) and then check for any MSS inconsistencies. Also, you

might want to check to see if there are any out-of-order drops.

"show service-policy" and "show asp drop" are the commands that could be

useful.

Hope this helps.

Regards,

NT

New Member

Re: Passive FTP access through ASA 5520

Hi Nt,

I am seeing no dropped packets when view the FTP  ( sh service-policy )

I am also getting hits on the acl that is permitting ftp from outside !!

Cisco Employee

Re: Passive FTP access through ASA 5520

Hello,

Can you do a directory listing when you are connected to the FTP server via

passive FTP?

Regards,

NT

New Member

Re: Passive FTP access through ASA 5520

Hi NT,

Yes this is possible !!

It is just the transfer speed is really slow and the ftp client keeps responding with " data connection already open, transfer starting

Cisco Employee

Re: Passive FTP access through ASA 5520

Hello,

Can you please post the output of "show asp drop" from the firewall?

Regards,

NT

New Member

Re: Passive FTP access through ASA 5520

image attached !!!

New Member

Re: Passive FTP access through ASA 5520

Hi NT,

Is a packet capture of the firewall : First part is a failed ftp passive mode transfer of vmware-vcb.exe file

Then the second part of the capture was a successful transfer using active mode with a file called : vuze_installer.exe

Hope this sheds some light !!

Thanks again Simon

Cisco Employee

Re: Passive FTP access through ASA 5520

Hello Simon,

The capture indicates that after the initial connection establishment, when

you try to store something, there is a delay in opening data connection. I

did not find any return traffic from the server side in the capture. I am

guessing that the delay is due to the delay occurred in getting an

acknowledgement from the server side. The delay seems to be in terms of

seconds rather than milliseconds. So, the problem seems to be on the server

end (firewall cannot delay packets to the magnitude of seconds). I am

guessing that when you go to passive mode, the server is trying to allocate

the port and is getting delayed there. If possible, collect the capture on

the server side as well (bi-directional traffic). That could help us narrow

down on the root cause.

Regards,

NT

24874
Views
0
Helpful
11
Replies
CreatePlease login to create content