I am having some issues with allowing this through our ASA. I started pulling the config apart to post but started googling and I see some stuff about having to allow other high ports. I currently have what I think are the correct ones, 21 and 20.
Anything blatent that I am missing or should I continue to post the config here?
TIA.
Is your FTP server a passive or active server? For active server you have the correct ports open. For passive try this:
conf t ftp mode passive exit wri mem
Passive is already on on the ASA. Here is the offending line in the syslog output. I think this has to do with the High Ports that are used with setting up the data port. As I can get connected but as soon as I type either DIR or LS it hangs.
Deny tcp src dmz:Internal_Web_Mail_Server/20 dst outside:MOPS_Thru_Watchguard/30536 by access-group "dmz_access_in" [0x0, 0x0]
MOPS_Thru_Watchguard is the IP that some of our users surf out to the internet as.
2 things:
Also could you post the contents of of ACL DMZ_access_IN?
I don't have any of the things in your previous post. Fixup, etc. I think I have included everything that goes with these.
access-list dmz_access_in extended permit object-group TCPUDP1 host Internal_Web_Mail_Server any eq domain access-list dmz_access_in extended permit tcp host Internal_Web_Mail_Server any object-group DM_INLINE_TCP_4 access-list dmz_access_in extended permit tcp host External_Web_Mail_Server host Internal_Web_Mail_Server object-group DM_INLINE_TCP_3
object-group protocol TCPUDP1 protocol-object udp protocol-object tcp
name 192.168.18.3 Internal_Web_Mail_Server description Internal_Web_Mail_Server name a.b.c.194 External_Web_Mail_Server description External_Web_Mail_Server
object-group service DM_INLINE_TCP_3 tcp port-object eq ftp port-object eq www port-object eq pop3 port-object eq smtp port-object eq ftp-data
object-group service DM_INLINE_TCP_4 tcp port-object eq ftp port-object eq ftp-data port-object eq smtp port-object eq www
Thanks Artie. Your post got me digging around and the "fixup protocol ftp 21" just got it working! I don't know how I missed that. Guess I need to read up more and see what else is missing!
Good to hear!
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.