[c-nsp] FTP Problem - Cisco ASA Box

Tony Varriale tvarriale at comcast.net
Wed Aug 30 16:34:47 EDT 2006


I've had great luck with FTP thru the ASA.

With that said, I know of a bug (last time I looked Cisco hasn't 
acknowledged it yet) that will block certain traffic returning on the 
outside interface in 7.1(x).  I'm running all 7.0x on my ASAs for that 
reason.  The problem occured with web browsing and certain sites...I wasn't 
able to keep 7.1x on long enough to test with other traffic as it was 
impacting business significantly.

You should see an odd message in the log about the ACL.  I don't have the 
notes handy right now but it sticks out like a sore thumb.

Sorry I couldn't help more!

tv

----- Original Message ----- 
From: "Paul Stewart" <pstewart at nexicomgroup.net>
To: <cisco-nsp at puck.nether.net>
Sent: Wednesday, August 30, 2006 2:44 PM
Subject: [c-nsp] FTP Problem - Cisco ASA Box


> Hi there..
>
> I'm having an issue with a new Cisco ASA5520 for ftp'ing to remote
> sites... Some sites work but very very slow and other sites come back
> with "illegal port" error.  Have tried active and passive mode transfers
> from my CuteFTP client...
>
> Can anyone help? :)
>
> Paul Stewart
> Network Administrator
> Nexicom Inc.
> http://www.nexicom.net/
>
>
> ASA Version 7.1(2)
> !
> hostname acs4-fw-mb
> domain-name nexicom.net
> enable password XXXXXXXXXXXXXXXXXXXXX encrypted
> names
> !
> interface GigabitEthernet0/0
> nameif Outside
> security-level 0
> ip address xxx.xxx.xxx.xxx 255.255.255.240
> !
> interface GigabitEthernet0/1
> nameif Inside
> security-level 100
> ip address xxx.xxx.xxx.xxx 255.255.255.0
> !
> interface GigabitEthernet0/2
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface GigabitEthernet0/3
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Management0/0
> shutdown
> nameif management
> security-level 100
> ip address 192.168.1.1 255.255.255.0
> management-only
> !
> passwd XXXXXXXXXXXXXXXXXXX encrypted
> no ftp mode passive
> clock timezone EST -5
> clock summer-time EDT recurring
> dns domain-lookup Outside
> dns domain-lookup Inside
> dns server-group DefaultDNS
> domain-name nexicom.net
> access-list AIP extended permit ip any any
> access-list ANY extended permit ip any any
> access-list ANY extended permit icmp any any
> pager lines 24
> logging enable
> logging timestamp
> logging trap informational
> logging asdm informational
> logging host Outside xxx.xxx.xxx.xxx
> mtu Outside 1500
> mtu Inside 1500
> mtu management 1500
> ip verify reverse-path interface Outside
> ip verify reverse-path interface Inside
> no failover
> asdm image disk0:/asdm512-k8.bin
> asdm history enable
> arp timeout 14400
> nat-control
> global (Outside) 10 interface
> nat (Inside) 10 0.0.0.0 0.0.0.0 dns
> access-group ANY in interface Outside
> access-group ANY out interface Outside
> access-group ANY in interface Inside
> access-group ANY out interface Inside
> route Outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
> timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> username admin password XXXXXXXXXXXXXXX encrypted privilege 15
> !
> class-map AIP
> match access-list AIP
> !
> !
> policy-map AIP
> class AIP
>  ips inline fail-open
> !
> service-policy AIP global
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 




More information about the cisco-nsp mailing list