[c-nsp] FTP Problem - Cisco ASA Box

Paul Stewart pstewart at nexicomgroup.net
Wed Aug 30 16:36:23 EDT 2006


Thanks to EVERYONE for all the quick responses (several dozen I must
admit)... yes, I was missing an inspect ftp statement.. must have looked
100 times at the config... 
 
All the best!
 
Paul
 

________________________________

From: Amol Sapkal [mailto:amolsapkal at gmail.com] 
Sent: Wednesday, August 30, 2006 4:11 PM
To: Paul Stewart
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] FTP Problem - Cisco ASA Box


Hi,
 
The service policy, global_policy is pre-defined:

 

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect http

  inspect ils

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

 

 

Have you modified the policy map?

 

If the above is still there, try running a 'show service-policy' command
and check whether there are traffic matches. 

 

 

-Amol

 

 

 



 
On 8/31/06, Jason Lixfeld <jason at lixfeld.ca> wrote: 

	Looks like you modified your policy-maps from the defaults, so
try
	adding an inspect ftp to your policy-map and see if that helps. 
	
	On 30-Aug-06, at 3:44 PM, Paul Stewart wrote:
	
	> Hi there..
	>
	> I'm having an issue with a new Cisco ASA5520 for ftp'ing to
remote
	> sites... Some sites work but very very slow and other sites
come back 
	> with "illegal port" error.  Have tried active and passive mode
	> transfers
	> from my CuteFTP client...
	>
	> Can anyone help? :)
	>
	> Paul Stewart
	> Network Administrator 
	> Nexicom Inc.
	> http://www.nexicom.net/
	>
	>
	> ASA Version 7.1(2)
	> !
	> hostname acs4-fw-mb
	> domain-name nexicom.net
	> enable password XXXXXXXXXXXXXXXXXXXXX encrypted
	> names
	> !
	> interface GigabitEthernet0/0
	>  nameif Outside
	>  security-level 0
	>  ip address xxx.xxx.xxx.xxx 255.255.255.240
	> !
	> interface GigabitEthernet0/1
	>  nameif Inside
	>  security-level 100
	>  ip address xxx.xxx.xxx.xxx 255.255.255.0
	> !
	> interface GigabitEthernet0/2 
	>  shutdown
	>  no nameif
	>  no security-level
	>  no ip address
	> !
	> interface GigabitEthernet0/3
	>  shutdown
	>  no nameif
	>  no security-level
	>  no ip address 
	> !
	> interface Management0/0
	>  shutdown
	>  nameif management
	>  security-level 100
	>  ip address 192.168.1.1 255.255.255.0 
	>  management-only
	> !
	> passwd XXXXXXXXXXXXXXXXXXX encrypted
	> no ftp mode passive
	> clock timezone EST -5
	> clock summer-time EDT recurring
	> dns domain-lookup Outside
	> dns domain-lookup Inside 
	> dns server-group DefaultDNS
	>  domain-name nexicom.net
	> access-list AIP extended permit ip any any
	> access-list ANY extended permit ip any any
	> access-list ANY extended permit icmp any any 
	> pager lines 24
	> logging enable
	> logging timestamp
	> logging trap informational
	> logging asdm informational
	> logging host Outside xxx.xxx.xxx.xxx
	> mtu Outside 1500
	> mtu Inside 1500 
	> mtu management 1500
	> ip verify reverse-path interface Outside
	> ip verify reverse-path interface Inside
	> no failover
	> asdm image disk0:/asdm512-k8.bin
	> asdm history enable
	> arp timeout 14400 
	> nat-control
	> global (Outside) 10 interface
	> nat (Inside) 10 0.0.0.0 0.0.0.0 dns
	> access-group ANY in interface Outside
	> access-group ANY out interface Outside 
	> access-group ANY in interface Inside
	> access-group ANY out interface Inside
	> route Outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
	> timeout xlate 3:00:00 
	> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp
0:00:02
	> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
	> timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
	> timeout uauth 0:05:00 absolute 
	> username admin password XXXXXXXXXXXXXXX encrypted privilege 15
	> !
	> class-map AIP
	>  match access-list AIP
	> !
	> !
	> policy-map AIP
	>  class AIP
	>   ips inline fail-open 
	> !
	> service-policy AIP global
	>
	> _______________________________________________
	> cisco-nsp mailing list  cisco-nsp at puck.nether.net
	> https://puck.nether.net/mailman/listinfo/cisco-nsp
	> archive at http://puck.nether.net/pipermail/cisco-nsp/ 
	>
	
	_______________________________________________
	cisco-nsp mailing list  cisco-nsp at puck.nether.net
	https://puck.nether.net/mailman/listinfo/cisco-nsp
	archive at http://puck.nether.net/pipermail/cisco-nsp/
	




-- 
Warm regards,

Amol Sapkal

-------------------------------------------------------------------
"When I'm not in my right mind, my left mind
gets pretty crowded"
------------------------------------------------------------------- 


More information about the cisco-nsp mailing list