A client of mine has a IIS 7 FTP server in Active mode sitting behind a Cisco ASA 5505. This setup is known good, as external clients (once instructed on IE settings) are able to connect to the FTP server without a problem. Command-line FTP in Windows and FileZilla set to Active mode also work as expected.
A sister company of this client now has users trying to connect, but are unable to. Even when IE is configured properly and FileZilla is set to Active. It seems like the Command channel will sometimes make a connection, but the Data channel always fails. This sister company also uses a Cisco ASA 5505. I'm sure that the issue is the configuration of their ASA.
As seen in the config snippet below, their ASA has the "ftp mode passive" global configuration option enabled, and am pretty sure that's the issue. I'm trying to figure out what configurations to suggest that they add to their config, but I would really appreciate suggestions … I'm an ASA novice, and still trying to get up to speed on the thing.
ASAVersion7.2(2)
!
**ftpmodepassive**
clocktimezoneEST-5
clocksummer-timeEDTrecurring
dnsserver-groupDefaultDNS
domain-namevbllc.com
same-security-trafficpermitinter-interface
same-security-trafficpermitintra-interface
access-listnonatextendedpermitip10.0.4.0255.255.255.0192.168.255.0255.255.255.0
access-listnonatextendedpermitip10.0.4.0255.255.255.010.0.0.0255.255.255.0
access-listnonatextendedpermitip10.0.4.0255.255.255.010.0.5.0255.255.255.0
access-listnonatextendedpermitipany10.0.14.0255.255.255.128
access-listny-vpnextendedpermitip10.0.4.0255.255.255.010.0.0.0255.255.255.0
access-listny-vpnextendedpermitip192.168.255.0255.255.255.010.0.0.0255.255.255.0
access-listacl_outside2extendedpermiticmpanyany
access-listacl_outside2extendedpermitiphost66.117.119.221host216.143.137.27
access-listacl_outside2extendedpermitiphost66.117.119.214host216.143.137.27
access-listOutsideNew_40_cryptomapextendedpermitip10.0.4.0255.255.255.010.0.5.0255.255.255.0
access-listOutsideOld_access_inextendedpermiticmpanyany
access-listSplitTunnel_splitTunnelAclstandardpermitany
access-listacl_outside_fiberextendedpermiticmpanyany
nopager
loggingenable
loggingbuffer-size10000
loggingbufferednotifications
loggingasdminformational
mtuOutsideOld1500
mtuInside1500
mtutest11500
mtuOutsideNew1500
mtuOutsideFiber1500
mtumanagement1500
iplocalpoolvpn192.168.255.1-192.168.255.254
iplocalpoolSplitTunnel10.0.14.50-10.0.14.99
icmpunreachablerate-limit1burst-size1
icmppermitanyOutsideOld
icmppermitanyInside
icmppermitanyOutsideNew
icmppermitanyOutsideFiber
asdmimagedisk0:/asdm-522.bin
noasdmhistoryenable
arptimeout14400
global(OutsideOld)1interface
global(OutsideNew)1interface
global(OutsideFiber)1interface
nat(Inside)0access-listnonat
nat(Inside)110.0.4.0255.255.255.0
static(Inside,OutsideNew)216.143.137.2710.0.4.5netmask255.255.255.255
access-groupOutsideOld_access_inininterfaceOutsideOld
access-groupacl_outside2ininterfaceOutsideNew
access-groupacl_outside_fiberininterfaceOutsideFiber
routeOutsideFiber0.0.0.00.0.0.065.220.55.2091track1
routeOutsideOld0.0.0.00.0.0.063.139.135.161100
routeInside152.179.153.229255.255.255.25510.0.4.110
routeOutsideNew208.110.65.18255.255.255.255216.143.137.251
routeOutsideNew0.0.0.00.0.0.0216.143.137.2550
routeOutsideFiber152.179.153.229255.255.255.25565.220.55.2091
timeoutxlate3:00:00
timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02
timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcp-pat0:05:00
timeoutsip0:30:00sip_media0:02:00sip-invite0:03:00sip-disconnect0:02:00
timeoutuauth0:05:00absolute
group-policySplitTunnelinternal
group-policySplitTunnelattributes
wins-servervalue10.0.4.3
dns-servervalue10.0.4.310.0.4.4
vpn-tunnel-protocolIPSec
split-tunnel-policytunnelspecified
split-tunnel-network-listvalueSplitTunnel_splitTunnelAcl
default-domainvaluevbllc.com
group-policyremotevpninternal
group-policyremotevpnattributes
wins-servervalue10.0.4.310.0.0.2
dns-servervalue10.0.4.310.0.0.2
Best Answer
Three things...
This is a very old Cisco ASA software version. If these are new devices, they should have shipped with a CD that contains newer software and GUI utilities (specifically the ASA and ASDM software images).
Since Cisco firewalls are protocol-aware (and inspect packets), you can enable ftp transfer through them by running the
fixup protocol ftp 21
command on both ASA firewalls.For Cisco firewall beginners, I recommend using the ASDM graphical interface. Of course, this is enhanced with newer software versions that what's currently installed...