Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Allowing FTP through ASA/Firewall

Allowing FTP through ASA/Firewall 7 years 9 months ago #29095

  • timparker
  • timparker's Avatar
  • Offline
  • Distinguished Member
  • Posts: 96
  • Karma: 0
I am having some issues with allowing this through our ASA. I started pulling the config apart to post but started googling and I see some stuff about having to allow other high ports. I currently have what I think are the correct ones, 21 and 20.

Anything blatent that I am missing or should I continue to post the config here?

TIA.
The administrator has disabled public write access.

Re: Allowing FTP through ASA/Firewall 7 years 9 months ago #29100

  • timparker
  • timparker's Avatar
  • Offline
  • Distinguished Member
  • Posts: 96
  • Karma: 0
Nevermind on this, I found the answer. For those that might want/need this later. I didn't have :

fixup protocol ftp 21

In my config. Added it in and Poof it works!
The administrator has disabled public write access.

Re: Allowing FTP through ASA/Firewall 7 years 9 months ago #29146

  • skepticals
  • skepticals's Avatar
  • Offline
  • Expert Member
  • Posts: 783
  • Karma: 0
What exactly does that line do?
The administrator has disabled public write access.

Re: Allowing FTP through ASA/Firewall 7 years 9 months ago #29150

  • timparker
  • timparker's Avatar
  • Offline
  • Distinguished Member
  • Posts: 96
  • Karma: 0
That actually is the line from Pix 6.3 code. The ASA though I found out converts it to the correct Policy Map, Traffic Inspection and Service Policy.
The administrator has disabled public write access.

Re: Allowing FTP through ASA/Firewall 7 years 9 months ago #29158

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Basically, the Fixup allows the Firewall to inspect (inspect is actually what is used in version 7+) the traffic. It checks it for RFC Compliancy, etc... but more importantly it makes the firewall FTP aware. This means that the firewall can monitor the FTP Communication and can open the necessary secondary ports that are required with the FTP protocol (i.e. Port 21 for the Command, once data is actually being transmitted, Port 20 is used for the data, this needs to be allowed through the firewall, while its inspecting the traffic, the firewall will notice which port the traffic is coming from and dynamically open it).

It would be worth reading about it within this site, in particular the differences between PASV and ACTIVE (PORT) Modes http://www.firewall.cx/ftp.php
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: Allowing FTP through ASA/Firewall 7 years 9 months ago #29195

  • skepticals
  • skepticals's Avatar
  • Offline
  • Expert Member
  • Posts: 783
  • Karma: 0
Thank you for the info. I will check that out.
The administrator has disabled public write access.
Time to create page: 0.082 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup