[c-nsp] FTP Problem - Cisco ASA Box
Sean Granger
sgranger at randfinancial.com
Wed Aug 30 17:19:03 EDT 2006
For anyone else who also saw the problem and was wondering :
As I said I'm on PIX instead and it's the 6.3.x chain.
Wasn't feasible to just slap 7 in.
>>> "Paul Stewart" <pstewart at nexicomgroup.net> 08/30/06 03:36PM >>>
Thanks to EVERYONE for all the quick responses (several dozen I must
admit)... yes, I was missing an inspect ftp statement.. must have looked
100 times at the config...
All the best!
Paul
________________________________
From: Amol Sapkal [mailto:amolsapkal at gmail.com]
Sent: Wednesday, August 30, 2006 4:11 PM
To: Paul Stewart
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] FTP Problem - Cisco ASA Box
Hi,
The service policy, global_policy is pre-defined:
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect ils
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
Have you modified the policy map?
If the above is still there, try running a 'show service-policy' command
and check whether there are traffic matches.
-Amol
On 8/31/06, Jason Lixfeld <jason at lixfeld.ca> wrote:
Looks like you modified your policy-maps from the defaults, so
try
adding an inspect ftp to your policy-map and see if that helps.
On 30-Aug-06, at 3:44 PM, Paul Stewart wrote:
> Hi there..
>
> I'm having an issue with a new Cisco ASA5520 for ftp'ing to
remote
> sites... Some sites work but very very slow and other sites
come back
> with "illegal port" error. Have tried active and passive mode
> transfers
> from my CuteFTP client...
>
> Can anyone help? :)
>
> Paul Stewart
> Network Administrator
> Nexicom Inc.
> http://www.nexicom.net/
>
>
> ASA Version 7.1(2)
> !
> hostname acs4-fw-mb
> domain-name nexicom.net
> enable password XXXXXXXXXXXXXXXXXXXXX encrypted
> names
> !
> interface GigabitEthernet0/0
> nameif Outside
> security-level 0
> ip address xxx.xxx.xxx.xxx 255.255.255.240
> !
> interface GigabitEthernet0/1
> nameif Inside
> security-level 100
> ip address xxx.xxx.xxx.xxx 255.255.255.0
> !
> interface GigabitEthernet0/2
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface GigabitEthernet0/3
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Management0/0
> shutdown
> nameif management
> security-level 100
> ip address 192.168.1.1 255.255.255.0
> management-only
> !
> passwd XXXXXXXXXXXXXXXXXXX encrypted
> no ftp mode passive
> clock timezone EST -5
> clock summer-time EDT recurring
> dns domain-lookup Outside
> dns domain-lookup Inside
> dns server-group DefaultDNS
> domain-name nexicom.net
> access-list AIP extended permit ip any any
> access-list ANY extended permit ip any any
> access-list ANY extended permit icmp any any
> pager lines 24
> logging enable
> logging timestamp
> logging trap informational
> logging asdm informational
> logging host Outside xxx.xxx.xxx.xxx
> mtu Outside 1500
> mtu Inside 1500
> mtu management 1500
> ip verify reverse-path interface Outside
> ip verify reverse-path interface Inside
> no failover
> asdm image disk0:/asdm512-k8.bin
> asdm history enable
> arp timeout 14400
> nat-control
> global (Outside) 10 interface
> nat (Inside) 10 0.0.0.0 0.0.0.0 dns
> access-group ANY in interface Outside
> access-group ANY out interface Outside
> access-group ANY in interface Inside
> access-group ANY out interface Inside
> route Outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp
0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
> timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> username admin password XXXXXXXXXXXXXXX encrypted privilege 15
> !
> class-map AIP
> match access-list AIP
> !
> !
> policy-map AIP
> class AIP
> ips inline fail-open
> !
> service-policy AIP global
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
--
Warm regards,
Amol Sapkal
-------------------------------------------------------------------
"When I'm not in my right mind, my left mind
gets pretty crowded"
-------------------------------------------------------------------
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list