01-20-2014 11:07 AM - edited 03-07-2019 05:41 PM
We have an ASA5505 and we are unable to get passive ftp to work from outside our system to inside. Active FTP works, but not passive. Passive works inside our organization so the issue isn't the server itself. Below is my configuration:
!
hostname RERC-DM
domain-name rerc.local
enable password **** encrypted
passwd **** encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.116.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address OUTSIDE_IP 255.255.255.248
!
banner exec ***************************** WARNING !! ***************************************
banner exec You have accessed a secure system and must have proper authorization.Unauthorized access is
banner exec Unlawful and is subject to civil and/or criminal penalties. Any use of this system may be logged or
banner exec monitored without further notice.Any resulting logs may be used as evidence in court.
banner exec PLEASE LOG OFF IMMEDIATELY!!>
banner exec ***************************** WARNING !! *********************
banner login ***************************** WARNING !! ***************************************
banner login You have accessed a secure system and must have proper authorization.Unauthorized access is
banner login Unlawful and is subject to civil and/or criminal penalties. Any use of this system may be logged or
banner login monitored without further notice.Any resulting logs may be used as evidence in court.
banner login PLEASE LOG OFF IMMEDIATELY!!>
banner login ***************************** WARNING !! *********************
banner motd ***************************** WARNING !! ***************************************
banner motd You have accessed a secure system and must have proper authorization.Unauthorized access is
banner motd Unlawful and is subject to civil and/or criminal penalties. Any use of this system may be logged or
banner motd monitored without further notice.Any resulting logs may be used as evidence in court.
banner motd PLEASE LOG OFF IMMEDIATELY!!>
banner motd ***************************** WARNING !! *********************
banner asdm ***************************** WARNING !! ***************************************
banner asdm You have accessed a secure system and must have proper authorization.Unauthorized access is
banner asdm Unlawful and is subject to civil and/or criminal penalties. Any use of this system may be logged or
banner asdm monitored without further notice.Any resulting logs may be used as evidence in court.
banner asdm PLEASE LOG OFF IMMEDIATELY!!>
banner asdm ***************************** WARNING !! *********************
boot system disk0:/asa825-k8.bin
boot system disk0:/asa822-23-k8.bin
no ftp mode passive
dns server-group DefaultDNS
domain-name rerc.local
access-list natbye extended permit ip 192.168.116.0 255.255.255.0 90.0.0.0 255.255.255.0
access-list natbye extended permit ip 192.168.116.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list natbye extended permit ip 192.168.116.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list natbye extended permit ip 192.168.116.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list waverly extended permit ip 192.168.116.0 255.255.255.0 90.0.0.0 255.255.255.0
access-list waverly extended permit ip 192.168.116.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list waverly extended permit ip 192.168.116.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inbound extended permit tcp any any eq ftp-data
access-list inbound extended permit tcp any any eq ftp
access-list inbound extended permit ip 63.254.82.96 255.255.255.224 any
access-list inbound extended permit ip 216.203.101.16 255.255.255.248 any
access-list inbound extended permit ip 71.39.248.224 255.255.255.248 any
access-list inbound extended permit icmp 216.203.101.16 255.255.255.248 any
access-list inbound extended permit icmp 71.39.248.224 255.255.255.248 any
access-list inbound extended permit icmp 63.254.82.96 255.255.255.224 any
access-list inbound extended permit icmp any any echo-reply
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp any any eq 3389
access-list netflow-export extended permit ip any any
access-list vpnclient extended permit ip 192.168.116.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list vpnclient extended permit ip 90.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list vpnclient extended permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging enable
logging list FirstSyslog level notifications
logging monitor debugging
logging trap notifications
logging from-address administrator@rerc.com
logging recipient-address ryoung@rerc.com level errors
logging host inside 90.0.0.16 format emblem
flow-export destination inside 192.168.116.190 9996
mtu inside 1500
mtu outside 1500
ip local pool clientpool 10.10.10.10-10.10.10.20 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name Attack attack action alarm drop reset
ip audit name Info info action alarm
ip audit interface inside Info
ip audit interface inside Attack
ip audit interface outside Info
ip audit interface outside Attack
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list natbye
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.116.30 3389 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.116.11 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.116.11 ftp-data netmask 255.255.255.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 63.254.16.185 1
timeout xlate 3:00:00
timeout conn 20:00:00 half-closed 0:30:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server dsm1 protocol radius
accounting-mode simultaneous
aaa-server dsm1 (inside) host 192.168.116.30
key *****
radius-common-pw *****
http server enable 4443
http 63.254.82.96 255.255.255.224 outside
http 71.39.248.224 255.255.255.248 outside
http 216.203.101.16 255.255.255.248 outside
http 97.64.245.108 255.255.255.252 outside
http 97.64.245.110 255.255.255.255 outside
http 192.168.116.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http 90.0.0.0 255.255.255.0 inside
http 173.31.118.151 255.255.255.255 outside
http 172.20.0.0 255.255.0.0 outside
http 172.20.0.0 255.255.0.0 inside
snmp-server host inside 192.168.1.10 community *****
snmp-server host inside 192.168.1.5 community *****
snmp-server host inside 192.168.116.190 poll community *****
snmp-server host outside 71.39.248.228 poll community ***** version 2c
snmp-server host inside 90.0.0.235 poll community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map cisco 1 set transform-set myset
crypto dynamic-map cisco 1 set reverse-route
crypto map newmap 1 match address waverly
crypto map newmap 1 set peer 64.199.233.141
crypto map newmap 1 set transform-set myset
crypto map newmap 1 set security-association lifetime seconds 86400
crypto map newmap 100 ipsec-isakmp dynamic cisco
crypto map newmap interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email administrator@rerc.com
subject-name CN=RERC-DM
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 46fed552
308201dd 30820146 a0030201 02020446 fed55230 0d06092a 864886f7 0d010105
05003033 3110300e 06035504 03130752 4552432d 444d311f 301d0609 2a864886
f70d0109 02161052 4552432d 444d2e72 6572632e 636f6d30 1e170d31 34303131
35303331 3933345a 170d3234 30313133 30333139 33345a30 33311030 0e060355
04031307 52455243 2d444d31 1f301d06 092a8648 86f70d01 09021610 52455243
2d444d2e 72657263 2e636f6d 30819f30 0d06092a 864886f7 0d010101 05000381
8d003081 89028181 00b8194f 91038a3c 589b1e8a 6acdb74e 68541113 558bfab3
f8a58149 61b2da4c cd8bee09 20e34abb 8720b78b ce8e23e3 bbe404b1 febc4f40
57e9040f b6de3fde 12a97f62 1b2e870f e529d022 3c2ebe09 6a793deb 535ef479
63d893b3 24c1f85c 3766263e 190d7b79 1c1f516f e0566a54 67799ed4 702d1867
dbbfe71c 2eeefc3a a3020301 0001300d 06092a86 4886f70d 01010505 00038181
009d6b06 7b08e6a7 c7506f84 55af9b8a 45416b76 8efdfeb5 1cb51c7d 53c1e738
21ac0059 5a51215b e44d95a4 260e0201 609e4fd2 4cb97136 cbaee3cd 91644158
c2bc1ac1 af278842 a4a071e4 213b340e b2b24902 a75c77fb 03072dc7 376402b9
917e90d5 dc64aa75 60bfb381 59c875b6 2ee08878 d6f3ccb8 1556bcb6 7388183a f6
quit
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 40
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 192.168.116.0 255.255.255.0 inside
ssh 172.20.0.0 255.255.0.0 inside
ssh 64.199.233.224 255.255.255.248 outside
ssh 64.199.233.216 255.255.255.248 outside
ssh 64.199.246.120 255.255.255.248 outside
ssh 216.203.101.16 255.255.255.248 outside
ssh 71.39.248.224 255.255.255.248 outside
ssh 63.254.82.96 255.255.255.224 outside
ssh 64.199.233.128 255.255.255.240 outside
ssh 97.64.245.108 255.255.255.252 outside
ssh 173.31.118.151 255.255.255.255 outside
ssh 172.20.0.0 255.255.0.0 outside
ssh 192.168.0.0 255.255.255.0 outside
ssh timeout 48
ssh version 1
console timeout 0threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 207.182.243.123 key 1 prefer
ntp server 216.171.120.36 source outside prefer
webvpn
group-policy test internal
group-policy test attributes
dns-server value 8.8.8.8
vpn-idle-timeout none
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclient
default-domain value rerc.com
group-policy VPNCLIENTGROUP internal
group-policy VPNCLIENTGROUP attributes
wins-server value 192.168.116.30 90.0.0.16
dns-server value 192.168.116.30 90.0.0.16
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclient
default-domain value rerc.com
address-pools value clientpool
tunnel-group testclient type remote-access
tunnel-group testclient general-attributes
address-pool clientpool
authentication-server-group dsm1
authentication-server-group (outside) dsm1 LOCAL
authorization-server-group dsm1
default-group-policy VPNCLIENTGROUP
password-management
tunnel-group testclient webvpn-attributes
group-alias VPNCLIENTGROUP enable
tunnel-group testclient ipsec-attributes
pre-shared-key *****
!
class-map pptp
match port tcp eq pptp
class-map netflow-export-class
match access-list netflow-export
!
!
policy-map netflow-export-policy
class netflow-export-class
flow-export event-type all destination 192.168.116.190
!
service-policy netflow-export-policy global
smtp-server 90.0.0.3 90.0.0.2
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f2e3150e72cab4dc8c447a92ded1de7d
: end
Solved! Go to Solution.
01-20-2014 11:30 AM
Sorry...I'm not sure where my head is at today, but that command is going to affect ftp from the appliance for copying files, etc. So, the only other thing that I don't see is the inspect under your service policy. Can you try the following? (I don't have a way of testing this, so hopefully you're in a lab environment):
class-map inspection_default
match default-inspection-traffic
policy-map netflow-export-policy
class inspection_default
inspect ftp
inspect http
inspect dns preset_dns_map
HTH,
John
*** Please rate all useful posts ***
01-20-2014 11:12 AM
You have it disabled:
no ftp mode passive
Try changing to:
ftp mode passive
HTH,
John
*** Please rate all useful posts ***
01-20-2014 11:16 AM
Thank You for your reply John, Unfortunately, that did not help. We are still getting timed out on directory listing even after that change. I do appreciate the reply though!
Message was edited by: Ryan Young
01-20-2014 11:30 AM
Sorry...I'm not sure where my head is at today, but that command is going to affect ftp from the appliance for copying files, etc. So, the only other thing that I don't see is the inspect under your service policy. Can you try the following? (I don't have a way of testing this, so hopefully you're in a lab environment):
class-map inspection_default
match default-inspection-traffic
policy-map netflow-export-policy
class inspection_default
inspect ftp
inspect http
inspect dns preset_dns_map
HTH,
John
*** Please rate all useful posts ***
01-20-2014 11:37 AM
OMG! You are awesome! That fixed it. THANK YOU!!
01-20-2014 11:37 AM
Glad I could help!
HTH,
John
*** Please rate all useful posts ***
01-20-2014 11:45 AM
John
Sorry...I'm not sure where my head is at today
You think that's bad, i've messed up two posts already today and one of them was about as basic a routing question as you could get !
Sometimes i am so tempted to delete my really bad posts but i'll just have to live with the embarrassment
Jon
01-20-2014 11:57 AM
I know I've deleted some of mine in the past It's really bad if I reread my own post and don't understand what I was trying to say...lol...
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide