Skip to main content

Cisco ASA 5505 and ftp??

More
17 years 3 weeks ago #23806 by Anders
Hello

I'm new to cisco products and have just started to understand the ASDM for my ASA 5505. Now a small problem i have. One of my servers is a ftp server using ioFTPD. This server is also a member of a Domain.
Now I've read a lot of guides and tips about how to setup so that my ftp server would be reachable by anyone on the internet. My problem is that i have a hard time to get it to work. I can access my ftp within the Internal Network, but as soon as i try to connect using my public IP address, It's not reachable. So with the little knowledge I have i can say that somethings are not setup correctly in my ASA 5505.

My ftp uses port 9999.

So I created a Static NAT rule where my real source is my ftp server and the translated source is my Public IP using tcp protocol on port 9999.

Then i created a Access Rule. Outside, Incoming to allow any to connect to my public IP on port 9999.

What am I doing wrong?

Please someone that knows what to do help me.

//Anders
More
17 years 3 weeks ago #23817 by Smurf
Replied by Smurf on topic Re: Cisco ASA 5505 and ftp??
Hi there,

Is there any reason why you are using a none standard ftp port ?

THe issue here is that you are using this none standard port and FTP actually uses two ports. One is for the control and another for the data transfer.

The ASA can use the Inspect rules to ensure that it can keep track of the ftp communication and additional ports that are required for this traffic, if you are on a none standard port, the ASA will not know that this is FTP traffic.

Is there no option to configure the deamon to use standard ports ? If not, there is a way to tell the inspect that your port is for ftp, cannot remember off the top of my head but if you need to know let me know and i will find it for ya.

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 3 weeks ago #23819 by Anders
Replied by Anders on topic Re: Cisco ASA 5505 and ftp??
sure i could configure it to run on port 21.
also in the config file for the ftp it says that it is using ports 1024-2048 for data transfers is that something i have to change aswell?

//Anders
More
17 years 3 weeks ago #23824 by Smurf
Replied by Smurf on topic Re: Cisco ASA 5505 and ftp??
Not sure about that specific ftp deamon, if you take a look at the networking section of this site under protocols --> FTP it will explain the process. Basically you can have two types, Active/Passive. Active, the server will try to setup the additional ports (which can sometimes fail through firewalls unless they can inspect the traffic) but in Passive, the host decides that (the server will tell the host what to use and the host will then setup the connection)

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.138 seconds