Firewall – How to allow FTP protocol behind Cisco ASA Firewall

ciscocisco-asafirewallftp

We're having trouble getting to our FTP server from behind a Cisco ASA firewall that we just installed. We've got HTTP and other protocols working, but FTP doesn't seem to work properly.

I can connect to the server, but I can't do any commands in it. Which I think has something to do with passive and active FTP modes.

Is there an issue regarding a negotiated port that I'll never really know until after the server has connected?

Best Answer

I'm guessing you're having problems with active FTP. You're looking for the following:

class-map inspection_default
 match default-inspection-traffic
!
!
policy-map asa_global_fw_policy
 class inspection_default
 inspect ftp
!
service-policy asa_global_fw_policy global

The ASA doesn't have a "fixup ftp" like the PIX did, but this will do what you need.

Related Solutions

Firewall – problem with passive FTP behind cisco asa firewall

Ancient topic, but I ran into similar problems recently and figured my $.02 might help somebody.

In my case, we're running IIS 7.5 behind a slightly older version of ASA, which we're in the process of replacing. We have an existing FTP site and my plan was to simply add FTPS support with the certificate & maybe getting our network admins to open up a few ports. IIS has a similar masquerade setting for each FTP site named "External IP Address of Firewall", which is, itself, misleading.

the TL/DR version: If your FTP server allows you to specify a masquerade IP & a range of ports used for PASV connections, you SHOULD be able to fix this by opening up those ports & disabling ftp inspection.

Due to some some other constraints, I wasn't able to get inspection disabled on our ASA, so I had to make some compromises. Here's what I observed/learned:

The ASA can only inspect non-encrypted traffic. duh?
The default behavior of the ASA is to inspect a number of protocols, including FTP.
the client authenticates on server port 21 and determines the feature set supported by the server.
The client, if so configured, will send a PASV request to the server
The server will respond with "227 entering passive mode (a,b,c,d,e,f)" where a.b.c.d is the server address and e*256 + f = port number
The a.b.c.d address will be the internal IP unless the masquerade address is configured
the FTP inspection will rewrite the a.b.c.d address to the external IP and open up the specified port for this client.
If the a.b.c.d address IS the external address, the response packet is discarded. *This might be due to the strict option, which I could not verify.
CuteFTP will recognize a non-routable IP in the PASV response and attempt to use the server's external address instead.
the ASA can't read the SSL-encrypted FTPS traffic, so it bypasses the inspection and works.

So in our case, when I set the masquerade IP, I was able to connect just fine via FTPS, but regular FTP would fail. When I removed the masquerade IP, I was still able to connect to both FTP and FTPS using CuteFTP, but our primary client wasn't able to connect to FTPS. (their system wasn't "smart" enough to translate the non-routable IP...)

So my lame workaround was using two separate sites: one that used a masquerade IP and required SSL, the other site that didn't.

TMI, but maybe it helps somebody work through this.

Cisco – 2 Cisco ASA + 4 Cisco switches – best way to connect all together

Given the precise hardware you mention I do not have anything to add that has not already been mentioned.

The idea of having two EtherChannels, one to each switch in the rack, per ASA could be simplified quite a bit by using stackable switches. I realize that if you already have the hardware this is moot - however it could simplify future implementations with a slight change to hardware acquisition.

The Cisco 2960S line (the latest model refresh in the Catalyst 2960 series) support stacking through the FlexStack stack module -- similar to how the 3750's are stackable with StackWise[+]. FlexStack and StackWise are not the same, but from an administrative standpoint they yield many of the same results. For those that don't want to plunge into chassis switches, Cisco's stacking capabilities on the 2960S's and 3750[V2,E,X]'s provide a handful of similar functions.

In this case specifically cross-stack EtherChannel can yield much simplification. With cross-stack EtherChannel it would be possible to configure a single EtherChannel from one ASA with one PHY interface going to the first switch in the rack and a second PHY interface in the EtherChannel going to the second switch in the same rack. Additionally, the switches in the stack (in the same rack) do not need EtherChannels configured between them -- as their inter-connectivity is provided via 2960S FlexStack.

FlexStack cables can be up to 3m in length -- depending on how close your racks are together you may be able to stack all four switches.

With multiple ASA's in HA the desired redundancies can be achieved with quite a bit simplified.

I bring this up because I have similar objectives you list met with ASA's in HA and stacked 3750X's at a few client data center sites.

Best Answer

Related Solutions

Firewall – problem with passive FTP behind cisco asa firewall

Cisco – 2 Cisco ASA + 4 Cisco switches – best way to connect all together

Related Topic