[c-nsp] FTP Problem - Cisco ASA Box

Sean Granger sgranger at randfinancial.com
Wed Aug 30 15:53:13 EDT 2006


We recently had similar problems with a TLS FTP setup.
It was opening random ports in the range of 50000-60000 and our PIXen weren't tracking it properly in the fixup process.
Best we could do was open all TCP traffic in that range to their server range.
Not exactly a grand fix, but an OS upgrade wasn't an applicable solution.
Something I know that Checkpoint has addressed ...

Maybe it's the FTP Daemon's behavior, making it implicit should have forced the port to TLS standard, but it didn't.
Nothing but Illegal Port commands when going into Active mode.
Passive mode just hung the client because the PIXen dropped the port open request.

I wouldn't doubt that you would see the same things in your access-list debugs.

>>> "Paul Stewart" <pstewart at nexicomgroup.net> 08/30/06 02:44PM >>>
Hi there..

I'm having an issue with a new Cisco ASA5520 for ftp'ing to remote
sites... Some sites work but very very slow and other sites come back
with "illegal port" error.  Have tried active and passive mode transfers
from my CuteFTP client...

Can anyone help? :)

Paul Stewart
Network Administrator
Nexicom Inc.
http://www.nexicom.net/ 


ASA Version 7.1(2)
!
hostname acs4-fw-mb
domain-name nexicom.net
enable password XXXXXXXXXXXXXXXXXXXXX encrypted
names
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.240
!
interface GigabitEthernet0/1
 nameif Inside
 security-level 100
 ip address xxx.xxx.xxx.xxx 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd XXXXXXXXXXXXXXXXXXX encrypted
no ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
 domain-name nexicom.net
access-list AIP extended permit ip any any
access-list ANY extended permit ip any any
access-list ANY extended permit icmp any any
pager lines 24
logging enable
logging timestamp
logging trap informational
logging asdm informational
logging host Outside xxx.xxx.xxx.xxx
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip verify reverse-path interface Outside
ip verify reverse-path interface Inside
no failover
asdm image disk0:/asdm512-k8.bin
asdm history enable
arp timeout 14400
nat-control
global (Outside) 10 interface
nat (Inside) 10 0.0.0.0 0.0.0.0 dns
access-group ANY in interface Outside
access-group ANY out interface Outside
access-group ANY in interface Inside
access-group ANY out interface Inside
route Outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password XXXXXXXXXXXXXXX encrypted privilege 15
!
class-map AIP
 match access-list AIP
!
!
policy-map AIP
 class AIP
  ips inline fail-open
!
service-policy AIP global

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp 
archive at http://puck.nether.net/pipermail/cisco-nsp/




More information about the cisco-nsp mailing list