Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Passive FTP not flowing through ASA5505

We have an ASA5505 and we are unable to get passive ftp to work from outside our system to inside.  Active FTP works, but not passive.   Passive works inside our organization so the issue isn't the server itself.  Below is my configuration:

!
hostname RERC-DM
domain-name rerc.local
enable password **** encrypted
passwd **** encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.116.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address OUTSIDE_IP 255.255.255.248
!
banner exec ***************************** WARNING !! ***************************************
banner exec You have accessed a secure system and must have proper authorization.Unauthorized access is
banner exec Unlawful and is subject to civil and/or criminal penalties.  Any use of this system may be logged or
banner exec monitored without further notice.Any resulting logs may be used as evidence in court.
banner exec  PLEASE LOG OFF IMMEDIATELY!!>
banner exec  ***************************** WARNING !! *********************
banner login ***************************** WARNING !! ***************************************
banner login You have accessed a secure system and must have proper authorization.Unauthorized access is
banner login Unlawful and is subject to civil and/or criminal penalties.  Any use of this system may be logged or
banner login monitored without further notice.Any resulting logs may be used as evidence in court.
banner login  PLEASE LOG OFF IMMEDIATELY!!>
banner login  ***************************** WARNING !! *********************
banner motd ***************************** WARNING !! ***************************************
banner motd You have accessed a secure system and must have proper authorization.Unauthorized access is
banner motd Unlawful and is subject to civil and/or criminal penalties.  Any use of this system may be logged or
banner motd monitored without further notice.Any resulting logs may be used as evidence in court.
banner motd  PLEASE LOG OFF IMMEDIATELY!!>
banner motd  ***************************** WARNING !! *********************
banner asdm ***************************** WARNING !! ***************************************
banner asdm You have accessed a secure system and must have proper authorization.Unauthorized access is
banner asdm Unlawful and is subject to civil and/or criminal penalties.  Any use of this system may be logged or
banner asdm monitored without further notice.Any resulting logs may be used as evidence in court.
banner asdm  PLEASE LOG OFF IMMEDIATELY!!>
banner asdm  ***************************** WARNING !! *********************
boot system disk0:/asa825-k8.bin
boot system disk0:/asa822-23-k8.bin
no ftp mode passive

dns server-group DefaultDNS
domain-name rerc.local
access-list natbye extended permit ip 192.168.116.0 255.255.255.0 90.0.0.0 255.255.255.0
access-list natbye extended permit ip 192.168.116.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list natbye extended permit ip 192.168.116.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list natbye extended permit ip 192.168.116.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list waverly extended permit ip 192.168.116.0 255.255.255.0 90.0.0.0 255.255.255.0
access-list waverly extended permit ip 192.168.116.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list waverly extended permit ip 192.168.116.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inbound extended permit tcp any any eq ftp-data
access-list inbound extended permit tcp any any eq ftp
access-list inbound extended permit ip 63.254.82.96 255.255.255.224 any
access-list inbound extended permit ip 216.203.101.16 255.255.255.248 any
access-list inbound extended permit ip 71.39.248.224 255.255.255.248 any
access-list inbound extended permit icmp 216.203.101.16 255.255.255.248 any
access-list inbound extended permit icmp 71.39.248.224 255.255.255.248 any
access-list inbound extended permit icmp 63.254.82.96 255.255.255.224 any
access-list inbound extended permit icmp any any echo-reply
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp any any eq 3389
access-list netflow-export extended permit ip any any
access-list vpnclient extended permit ip 192.168.116.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list vpnclient extended permit ip 90.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list vpnclient extended permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging enable
logging list FirstSyslog level notifications
logging monitor debugging
logging trap notifications
logging from-address administrator@rerc.com
logging recipient-address ryoung@rerc.com level errors
logging host inside 90.0.0.16 format emblem
flow-export destination inside 192.168.116.190 9996
mtu inside 1500
mtu outside 1500
ip local pool clientpool 10.10.10.10-10.10.10.20 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name Attack attack action alarm drop reset
ip audit name Info info action alarm
ip audit interface inside Info
ip audit interface inside Attack
ip audit interface outside Info
ip audit interface outside Attack
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list natbye
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.116.30 3389 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.116.11 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.116.11 ftp-data netmask 255.255.255.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 63.254.16.185 1
timeout xlate 3:00:00
timeout conn 20:00:00 half-closed 0:30:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server dsm1 protocol radius
accounting-mode simultaneous
aaa-server dsm1 (inside) host 192.168.116.30
key *****
radius-common-pw *****
http server enable 4443
http 63.254.82.96 255.255.255.224 outside
http 71.39.248.224 255.255.255.248 outside
http 216.203.101.16 255.255.255.248 outside
http 97.64.245.108 255.255.255.252 outside
http 97.64.245.110 255.255.255.255 outside
http 192.168.116.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http 90.0.0.0 255.255.255.0 inside
http 173.31.118.151 255.255.255.255 outside
http 172.20.0.0 255.255.0.0 outside
http 172.20.0.0 255.255.0.0 inside
snmp-server host inside 192.168.1.10 community *****
snmp-server host inside 192.168.1.5 community *****
snmp-server host inside 192.168.116.190 poll community *****
snmp-server host outside 71.39.248.228 poll community ***** version 2c
snmp-server host inside 90.0.0.235 poll community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map cisco 1 set transform-set myset
crypto dynamic-map cisco 1 set reverse-route
crypto map newmap 1 match address waverly
crypto map newmap 1 set peer 64.199.233.141
crypto map newmap 1 set transform-set myset
crypto map newmap 1 set security-association lifetime seconds 86400
crypto map newmap 100 ipsec-isakmp dynamic cisco
crypto map newmap interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email administrator@rerc.com
subject-name CN=RERC-DM
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 46fed552
    308201dd 30820146 a0030201 02020446 fed55230 0d06092a 864886f7 0d010105
    05003033 3110300e 06035504 03130752 4552432d 444d311f 301d0609 2a864886
    f70d0109 02161052 4552432d 444d2e72 6572632e 636f6d30 1e170d31 34303131
    35303331 3933345a 170d3234 30313133 30333139 33345a30 33311030 0e060355
    04031307 52455243 2d444d31 1f301d06 092a8648 86f70d01 09021610 52455243
    2d444d2e 72657263 2e636f6d 30819f30 0d06092a 864886f7 0d010101 05000381
    8d003081 89028181 00b8194f 91038a3c 589b1e8a 6acdb74e 68541113 558bfab3
    f8a58149 61b2da4c cd8bee09 20e34abb 8720b78b ce8e23e3 bbe404b1 febc4f40
    57e9040f b6de3fde 12a97f62 1b2e870f e529d022 3c2ebe09 6a793deb 535ef479
    63d893b3 24c1f85c 3766263e 190d7b79 1c1f516f e0566a54 67799ed4 702d1867
    dbbfe71c 2eeefc3a a3020301 0001300d 06092a86 4886f70d 01010505 00038181
    009d6b06 7b08e6a7 c7506f84 55af9b8a 45416b76 8efdfeb5 1cb51c7d 53c1e738
    21ac0059 5a51215b e44d95a4 260e0201 609e4fd2 4cb97136 cbaee3cd 91644158
    c2bc1ac1 af278842 a4a071e4 213b340e b2b24902 a75c77fb 03072dc7 376402b9
    917e90d5 dc64aa75 60bfb381 59c875b6 2ee08878 d6f3ccb8 1556bcb6 7388183a f6
  quit
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 40
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 192.168.116.0 255.255.255.0 inside
ssh 172.20.0.0 255.255.0.0 inside
ssh 64.199.233.224 255.255.255.248 outside
ssh 64.199.233.216 255.255.255.248 outside
ssh 64.199.246.120 255.255.255.248 outside
ssh 216.203.101.16 255.255.255.248 outside
ssh 71.39.248.224 255.255.255.248 outside
ssh 63.254.82.96 255.255.255.224 outside
ssh 64.199.233.128 255.255.255.240 outside
ssh 97.64.245.108 255.255.255.252 outside
ssh 173.31.118.151 255.255.255.255 outside
ssh 172.20.0.0 255.255.0.0 outside
ssh 192.168.0.0 255.255.255.0 outside
ssh timeout 48
ssh version 1
console timeout 0

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 207.182.243.123 key 1 prefer
ntp server 216.171.120.36 source outside prefer
webvpn
group-policy test internal
group-policy test attributes
dns-server value 8.8.8.8
vpn-idle-timeout none
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclient
default-domain value rerc.com
group-policy VPNCLIENTGROUP internal
group-policy VPNCLIENTGROUP attributes
wins-server value 192.168.116.30 90.0.0.16
dns-server value 192.168.116.30 90.0.0.16
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnclient
default-domain value rerc.com
address-pools value clientpool
tunnel-group testclient type remote-access
tunnel-group testclient general-attributes
address-pool clientpool
authentication-server-group dsm1
authentication-server-group (outside) dsm1 LOCAL
authorization-server-group dsm1
default-group-policy VPNCLIENTGROUP
password-management
tunnel-group testclient webvpn-attributes
group-alias VPNCLIENTGROUP enable
tunnel-group testclient ipsec-attributes
pre-shared-key *****
!
class-map pptp
match port tcp eq pptp
class-map netflow-export-class
match access-list netflow-export
!
!
policy-map netflow-export-policy
class netflow-export-class
  flow-export event-type all destination 192.168.116.190
!
service-policy netflow-export-policy global
smtp-server 90.0.0.3 90.0.0.2
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f2e3150e72cab4dc8c447a92ded1de7d
: end

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Passive FTP not flowing through ASA5505

Sorry...I'm not sure where my head is at today, but that command is going to affect ftp from the appliance for copying files, etc. So, the only other thing that I don't see is the inspect under your service policy. Can you try the following? (I don't have a way of testing this, so hopefully you're in a lab environment):

class-map inspection_default

match default-inspection-traffic

policy-map netflow-export-policy

class inspection_default

inspect ftp

inspect http

inspect dns preset_dns_map

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
7 REPLIES

Passive FTP not flowing through ASA5505

You have it disabled:

no ftp mode passive

Try changing to:

ftp mode passive

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Community Member

Re: Passive FTP not flowing through ASA5505

Thank You for your reply John,  Unfortunately, that did not help.  We are still getting timed out on directory listing even after that change.  I do appreciate the reply though!

Message was edited by: Ryan Young

Re: Passive FTP not flowing through ASA5505

Sorry...I'm not sure where my head is at today, but that command is going to affect ftp from the appliance for copying files, etc. So, the only other thing that I don't see is the inspect under your service policy. Can you try the following? (I don't have a way of testing this, so hopefully you're in a lab environment):

class-map inspection_default

match default-inspection-traffic

policy-map netflow-export-policy

class inspection_default

inspect ftp

inspect http

inspect dns preset_dns_map

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Community Member

Re: Passive FTP not flowing through ASA5505

OMG!  You are awesome!  That fixed it.  THANK YOU!!

Re: Passive FTP not flowing through ASA5505

Glad I could help!

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
Hall of Fame Super Blue

Passive FTP not flowing through ASA5505

John

Sorry...I'm not sure where my head is at today

You think that's bad, i've messed up two posts already today and one of them was about as basic a routing question as you could get !

Sometimes i am so tempted to delete my really bad posts but i'll just have to live with the embarrassment

Jon

Passive FTP not flowing through ASA5505

I know I've deleted some of mine in the past It's really bad if I reread my own post and don't understand what I was trying to say...lol...

John

HTH, John *** Please rate all useful posts ***
201
Views
25
Helpful
7
Replies
CreatePlease to create content