FTP Services on ASA 5505

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View


So this is my configuration for an ASA 5505.

I set up VPN, SMTP, and WWW.

VPN and SMTP work now I need the FTP access to work.  Its a pretty
simple config just need FTP incoming.  I really am having a hard time
figuring it out.

Any ideas:


!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.101.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 66.***.***.***255.255.255.248
 ospf cost 10
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
 ospf cost 10
!
passwd ********** encrypted
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
 domain-name *******.com
object-group service test tcp
 port-object range 1 65000
access-list outside_access_in extended permit tcp any host
66.***.***.*** eq https
access-list outside_access_in remark Allow website access
access-list outside_access_in extended permit tcp any host
66.***.***.*** eq www
access-list outside_access_in extended permit tcp any host
66.***.***.*** eq 4125
access-list outside_access_in extended permit tcp any host
66.***.***.*** eq 3389
access-list outside_access_in extended permit tcp any host **** eq
3389
access-list outside_access_in extended permit tcp any host
66.***.***.*** eq pptp
access-list outside_access_in extended permit tcp any host **** eq
3389
access-list outside_access_in extended permit tcp any host
66.***.***.*** eq smtp
access-list outside_access_in extended permit ip any host
66.244.240.165
access-list outside_access_in extended permit tcp any host
66.244.240.165 eq ftp
access-list outside_access_in extended permit tcp any host
66.244.240.165 eq ftp-data
access-list outside_access_in extended permit icmp any any
access-list inside_access_out remark Allow all outbound
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit tcp any object-group
test any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
asdm image disk0:/asdm-521.bin
no asdm history enable
arp timeout 14400
global (inside) 1 Geotech3 netmask 255.255.255.0
global (outside) 10 interface
nat (inside) 10 192.168.101.0 255.255.255.0
static (inside,outside) 66.***.***.*** ServerName netmask
255.255.255.255
static (inside,outside) 66.***.***.*** GCSSBSDEN-01 netmask
255.255.255.255
static (inside,outside) 66.224.240.165 Geotech3 netmask
255.255.255.255
access-group inside_access_out in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.224.240.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.155.0 255.255.255.0 inside
http 192.168.101.0 255.255.255.0 inside
http GGT 255.255.255.255 outside
http GGT2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp nat-traversal  20
telnet 192.168.101.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.101.0 255.255.255.0 inside
ssh GGT 255.255.255.255 outside
ssh GGT2 255.255.255.255 outside
ssh timeout 5



Re: FTP Services on ASA 5505


This might have to do with the FTP mode being used.  Active mode FTP and
passive mode FTP are the choices.  The access-list allows the inbound
FTP connection but you probably do not need the access-list entry for
FTP-data.

Try this command:
no ftp mode passive

Also consider adding the fixup FTP command or the inspect FTP command in
the global policy.

-----
Scott Perry
Indianapolis, IN
-----

KEN wrote:
Quoted text here. Click to load it

Site Timeline