[c-nsp] FTP Problem - Cisco ASA Box
Amol Sapkal
amolsapkal at gmail.com
Wed Aug 30 16:11:05 EDT 2006
Hi,
The service policy, global_policy is pre-defined:
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
* inspect ftp*
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
Have you modified the policy map?
If the above is still there, try running a 'show service-policy' command and
check whether there are traffic matches.
-Amol
On 8/31/06, Jason Lixfeld <jason at lixfeld.ca> wrote:
>
> Looks like you modified your policy-maps from the defaults, so try
> adding an inspect ftp to your policy-map and see if that helps.
>
> On 30-Aug-06, at 3:44 PM, Paul Stewart wrote:
>
> > Hi there..
> >
> > I'm having an issue with a new Cisco ASA5520 for ftp'ing to remote
> > sites... Some sites work but very very slow and other sites come back
> > with "illegal port" error. Have tried active and passive mode
> > transfers
> > from my CuteFTP client...
> >
> > Can anyone help? :)
> >
> > Paul Stewart
> > Network Administrator
> > Nexicom Inc.
> > http://www.nexicom.net/
> >
> >
> > ASA Version 7.1(2)
> > !
> > hostname acs4-fw-mb
> > domain-name nexicom.net
> > enable password XXXXXXXXXXXXXXXXXXXXX encrypted
> > names
> > !
> > interface GigabitEthernet0/0
> > nameif Outside
> > security-level 0
> > ip address xxx.xxx.xxx.xxx 255.255.255.240
> > !
> > interface GigabitEthernet0/1
> > nameif Inside
> > security-level 100
> > ip address xxx.xxx.xxx.xxx 255.255.255.0
> > !
> > interface GigabitEthernet0/2
> > shutdown
> > no nameif
> > no security-level
> > no ip address
> > !
> > interface GigabitEthernet0/3
> > shutdown
> > no nameif
> > no security-level
> > no ip address
> > !
> > interface Management0/0
> > shutdown
> > nameif management
> > security-level 100
> > ip address 192.168.1.1 255.255.255.0
> > management-only
> > !
> > passwd XXXXXXXXXXXXXXXXXXX encrypted
> > no ftp mode passive
> > clock timezone EST -5
> > clock summer-time EDT recurring
> > dns domain-lookup Outside
> > dns domain-lookup Inside
> > dns server-group DefaultDNS
> > domain-name nexicom.net
> > access-list AIP extended permit ip any any
> > access-list ANY extended permit ip any any
> > access-list ANY extended permit icmp any any
> > pager lines 24
> > logging enable
> > logging timestamp
> > logging trap informational
> > logging asdm informational
> > logging host Outside xxx.xxx.xxx.xxx
> > mtu Outside 1500
> > mtu Inside 1500
> > mtu management 1500
> > ip verify reverse-path interface Outside
> > ip verify reverse-path interface Inside
> > no failover
> > asdm image disk0:/asdm512-k8.bin
> > asdm history enable
> > arp timeout 14400
> > nat-control
> > global (Outside) 10 interface
> > nat (Inside) 10 0.0.0.0 0.0.0.0 dns
> > access-group ANY in interface Outside
> > access-group ANY out interface Outside
> > access-group ANY in interface Inside
> > access-group ANY out interface Inside
> > route Outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
> > timeout xlate 3:00:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
> > timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
> > timeout uauth 0:05:00 absolute
> > username admin password XXXXXXXXXXXXXXX encrypted privilege 15
> > !
> > class-map AIP
> > match access-list AIP
> > !
> > !
> > policy-map AIP
> > class AIP
> > ips inline fail-open
> > !
> > service-policy AIP global
> >
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
--
Warm regards,
Amol Sapkal
-------------------------------------------------------------------
"When I'm not in my right mind, my left mind
gets pretty crowded"
-------------------------------------------------------------------
More information about the cisco-nsp
mailing list