Firewall – problem with passive FTP behind cisco asa firewall

ciscocisco-asafirewallftp

i've problems connecting to an ftp-server behind a cisco asa firewall using passive mode. ftp works using active and "extended passive" mode, however: when i turn off "extended passive" (epsv in ftp console client app), it does not work anylonger — all commands result in a timeout. however we need non-"extended passive" mode for some application we use.

any ideas?

thanks,
harald

UPDATE / SOLUTION

as it turns out, it was not exactly ASA's fault, or was it? i had to turn of masquerading in proftpd configuration. i had the masquerading-address in proftpd-config set to the IP address of the ftp-server domain and that resulted in unexpected things when passing traffic through the asa. now — without address masquerading — everything works very well.

Best Answer

Ancient topic, but I ran into similar problems recently and figured my $.02 might help somebody.

In my case, we're running IIS 7.5 behind a slightly older version of ASA, which we're in the process of replacing. We have an existing FTP site and my plan was to simply add FTPS support with the certificate & maybe getting our network admins to open up a few ports. IIS has a similar masquerade setting for each FTP site named "External IP Address of Firewall", which is, itself, misleading.

the TL/DR version: If your FTP server allows you to specify a masquerade IP & a range of ports used for PASV connections, you SHOULD be able to fix this by opening up those ports & disabling ftp inspection.

Due to some some other constraints, I wasn't able to get inspection disabled on our ASA, so I had to make some compromises. Here's what I observed/learned:

The ASA can only inspect non-encrypted traffic. duh?
The default behavior of the ASA is to inspect a number of protocols, including FTP.
the client authenticates on server port 21 and determines the feature set supported by the server.
The client, if so configured, will send a PASV request to the server
The server will respond with "227 entering passive mode (a,b,c,d,e,f)" where a.b.c.d is the server address and e*256 + f = port number
The a.b.c.d address will be the internal IP unless the masquerade address is configured
the FTP inspection will rewrite the a.b.c.d address to the external IP and open up the specified port for this client.
If the a.b.c.d address IS the external address, the response packet is discarded. *This might be due to the strict option, which I could not verify.
CuteFTP will recognize a non-routable IP in the PASV response and attempt to use the server's external address instead.
the ASA can't read the SSL-encrypted FTPS traffic, so it bypasses the inspection and works.

So in our case, when I set the masquerade IP, I was able to connect just fine via FTPS, but regular FTP would fail. When I removed the masquerade IP, I was still able to connect to both FTP and FTPS using CuteFTP, but our primary client wasn't able to connect to FTPS. (their system wasn't "smart" enough to translate the non-routable IP...)

So my lame workaround was using two separate sites: one that used a masquerade IP and required SSL, the other site that didn't.

TMI, but maybe it helps somebody work through this.

Best Answer

Related Solutions

Firewall – FTP Active/Passive not working like I expect

Firewall – How to allow FTP protocol behind Cisco ASA Firewall

Related Topic