[c-nsp] FTP Problem - Cisco ASA Box

Amol Sapkal amolsapkal at gmail.com
Wed Aug 30 16:11:05 EDT 2006 

Hi,

The service policy, global_policy is pre-defined:



policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512

*  inspect ftp*

  inspect h323 h225

  inspect h323 ras

  inspect http

  inspect ils

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp





Have you modified the policy map?



If the above is still there, try running a 'show service-policy' command and
check whether there are traffic matches.





-Amol









On 8/31/06, Jason Lixfeld <jason at lixfeld.ca> wrote:
>
> Looks like you modified your policy-maps from the defaults, so try
> adding an inspect ftp to your policy-map and see if that helps.
>
> On 30-Aug-06, at 3:44 PM, Paul Stewart wrote:
>
> > Hi there..
> >
> > I'm having an issue with a new Cisco ASA5520 for ftp'ing to remote
> > sites... Some sites work but very very slow and other sites come back
> > with "illegal port" error.  Have tried active and passive mode
> > transfers
> > from my CuteFTP client...
> >
> > Can anyone help? :)
> >
> > Paul Stewart
> > Network Administrator
> > Nexicom Inc.
> > http://www.nexicom.net/
> >
> >
> > ASA Version 7.1(2)
> > !
> > hostname acs4-fw-mb
> > domain-name nexicom.net
> > enable password XXXXXXXXXXXXXXXXXXXXX encrypted
> > names
> > !
> > interface GigabitEthernet0/0
> >  nameif Outside
> >  security-level 0
> >  ip address xxx.xxx.xxx.xxx 255.255.255.240
> > !
> > interface GigabitEthernet0/1
> >  nameif Inside
> >  security-level 100
> >  ip address xxx.xxx.xxx.xxx 255.255.255.0
> > !
> > interface GigabitEthernet0/2
> >  shutdown
> >  no nameif
> >  no security-level
> >  no ip address
> > !
> > interface GigabitEthernet0/3
> >  shutdown
> >  no nameif
> >  no security-level
> >  no ip address
> > !
> > interface Management0/0
> >  shutdown
> >  nameif management
> >  security-level 100
> >  ip address 192.168.1.1 255.255.255.0
> >  management-only
> > !
> > passwd XXXXXXXXXXXXXXXXXXX encrypted
> > no ftp mode passive
> > clock timezone EST -5
> > clock summer-time EDT recurring
> > dns domain-lookup Outside
> > dns domain-lookup Inside
> > dns server-group DefaultDNS
> >  domain-name nexicom.net
> > access-list AIP extended permit ip any any
> > access-list ANY extended permit ip any any
> > access-list ANY extended permit icmp any any
> > pager lines 24
> > logging enable
> > logging timestamp
> > logging trap informational
> > logging asdm informational
> > logging host Outside xxx.xxx.xxx.xxx
> > mtu Outside 1500
> > mtu Inside 1500
> > mtu management 1500
> > ip verify reverse-path interface Outside
> > ip verify reverse-path interface Inside
> > no failover
> > asdm image disk0:/asdm512-k8.bin
> > asdm history enable
> > arp timeout 14400
> > nat-control
> > global (Outside) 10 interface
> > nat (Inside) 10 0.0.0.0 0.0.0.0 dns
> > access-group ANY in interface Outside
> > access-group ANY out interface Outside
> > access-group ANY in interface Inside
> > access-group ANY out interface Inside
> > route Outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
> > timeout xlate 3:00:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
> > timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
> > timeout uauth 0:05:00 absolute
> > username admin password XXXXXXXXXXXXXXX encrypted privilege 15
> > !
> > class-map AIP
> >  match access-list AIP
> > !
> > !
> > policy-map AIP
> >  class AIP
> >   ips inline fail-open
> > !
> > service-policy AIP global
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Warm regards,

Amol Sapkal

-------------------------------------------------------------------
"When I'm not in my right mind, my left mind
gets pretty crowded"
-------------------------------------------------------------------

More information about the cisco-nsp mailing list