Sir, I have problem when i connect the FTP from internet with ftps protocol.
Enviroment: ASA 5510, Filezilla Server on Windows 2008, all the computers in company, the NAT has been configured on the ASA, The FTP server doesn't belong to the DMZ,
What i configured on the ASA for the task:
object-group service FTP
description Filezilla FTP Dymanic Group
service-object tcp range 50000 51000
service-object tcp eq 990
access-list FTP extended permit object-group FTP any host 1.1.1.1
static (inside,outside) tcp interface 990 2.2.2.2 990 netmask 255.255.255.255
access-group FTP in interface outside
The following is the Filezilla server log:
000096)10/16/2012 2:43:36 AM - (not logged in) (3.3.3.3)> Connected, sending welcome message...
(000096)10/16/2012 2:43:36 AM - (not logged in) (3.3.3.3)> 220-Welcome to XXXXX FTP Server.
(000096)10/16/2012 2:43:36 AM - (not logged in) (3.3.3.3)> 220 If you have any problems, please send emails to XXXXXX
(000096)10/16/2012 2:43:37 AM - (not logged in) (3.3.3.3)> SSL connection established
(000096)10/16/2012 2:43:37 AM - (not logged in) (3.3.3.3)> USER ustest
(000096)10/16/2012 2:43:37 AM - (not logged in) (3.3.3.3)> 331 Password required for ustest
(000096)10/16/2012 2:43:37 AM - (not logged in) (3.3.3.3)> PASS ******
(000096)10/16/2012 2:43:37 AM - ustest (3.3.3.3)> 230 Logged on
(000096)10/16/2012 2:43:38 AM - ustest (3.3.3.3)> PBSZ 0
(000096)10/16/2012 2:43:38 AM - ustest (3.3.3.3)> 200 PBSZ=0
(000096)10/16/2012 2:43:38 AM - ustest (3.3.3.3)> PROT P
(000096)10/16/2012 2:43:38 AM - ustest (3.3.3.3)> 200 Protection level set to P
(000096)10/16/2012 2:43:39 AM - ustest (3.3.3.3)> PWD
(000096)10/16/2012 2:43:39 AM - ustest (3.3.3.3)> 257 "/" is current directory.
(000096)10/16/2012 2:43:39 AM - ustest (3.3.3.3)> TYPE I
(000096)10/16/2012 2:43:39 AM - ustest (3.3.3.3)> 200 Type set to I
(000096)10/16/2012 2:43:39 AM - ustest (3.3.3.3)> PORT 3,3,3,3,198,209
(000096)10/16/2012 2:43:39 AM - ustest (3.3.3.3)> 200 Port command successful
(000096)10/16/2012 2:43:40 AM - ustest (3.3.3.3)> MLSD
(000096)10/16/2012 2:43:40 AM - ustest (3.3.3.3)> 150 Opening data channel for directory list.
(000096)10/16/2012 2:43:50 AM - ustest (3.3.3.3)> 425 Can't open data connection.
(000096)10/16/2012 2:43:55 AM - ustest (3.3.3.3)> disconnected.
What i have try:
1、Connect from intranet, Works
2、Replace Passive mode with Active on filezilla client, failed
3、Telnet Publick IP: 990, connected;
4、Test on http://ftptest.net, time out. but we have a FTP server in Beijing and the same environment, we can access the FTP with Filezilla client, but we can pass test on http://ftptest.net, Weired
According to the article i list, the author think it won't be success if i use FTPS, realy?
https://learningnetwork.cisco.com/docs/DOC-8774
Does any one can help me to troubleshoot the problem?
Thanks in advance.
Bruce
Enviroment: ASA 5510, Filezilla Server on Windows 2008, all the computers in company, the NAT has been configured on the ASA, The FTP server doesn't belong to the DMZ,
What i configured on the ASA for the task:
object-group service FTP
description Filezilla FTP Dymanic Group
service-object tcp range 50000 51000
service-object tcp eq 990
access-list FTP extended permit object-group FTP any host 1.1.1.1
static (inside,outside) tcp interface 990 2.2.2.2 990 netmask 255.255.255.255
access-group FTP in interface outside
The following is the Filezilla server log:
000096)10/16/2012 2:43:36 AM - (not logged in) (3.3.3.3)> Connected, sending welcome message...
(000096)10/16/2012 2:43:36 AM - (not logged in) (3.3.3.3)> 220-Welcome to XXXXX FTP Server.
(000096)10/16/2012 2:43:36 AM - (not logged in) (3.3.3.3)> 220 If you have any problems, please send emails to XXXXXX
(000096)10/16/2012 2:43:37 AM - (not logged in) (3.3.3.3)> SSL connection established
(000096)10/16/2012 2:43:37 AM - (not logged in) (3.3.3.3)> USER ustest
(000096)10/16/2012 2:43:37 AM - (not logged in) (3.3.3.3)> 331 Password required for ustest
(000096)10/16/2012 2:43:37 AM - (not logged in) (3.3.3.3)> PASS ******
(000096)10/16/2012 2:43:37 AM - ustest (3.3.3.3)> 230 Logged on
(000096)10/16/2012 2:43:38 AM - ustest (3.3.3.3)> PBSZ 0
(000096)10/16/2012 2:43:38 AM - ustest (3.3.3.3)> 200 PBSZ=0
(000096)10/16/2012 2:43:38 AM - ustest (3.3.3.3)> PROT P
(000096)10/16/2012 2:43:38 AM - ustest (3.3.3.3)> 200 Protection level set to P
(000096)10/16/2012 2:43:39 AM - ustest (3.3.3.3)> PWD
(000096)10/16/2012 2:43:39 AM - ustest (3.3.3.3)> 257 "/" is current directory.
(000096)10/16/2012 2:43:39 AM - ustest (3.3.3.3)> TYPE I
(000096)10/16/2012 2:43:39 AM - ustest (3.3.3.3)> 200 Type set to I
(000096)10/16/2012 2:43:39 AM - ustest (3.3.3.3)> PORT 3,3,3,3,198,209
(000096)10/16/2012 2:43:39 AM - ustest (3.3.3.3)> 200 Port command successful
(000096)10/16/2012 2:43:40 AM - ustest (3.3.3.3)> MLSD
(000096)10/16/2012 2:43:40 AM - ustest (3.3.3.3)> 150 Opening data channel for directory list.
(000096)10/16/2012 2:43:50 AM - ustest (3.3.3.3)> 425 Can't open data connection.
(000096)10/16/2012 2:43:55 AM - ustest (3.3.3.3)> disconnected.
What i have try:
1、Connect from intranet, Works
2、Replace Passive mode with Active on filezilla client, failed
3、Telnet Publick IP: 990, connected;
4、Test on http://ftptest.net, time out. but we have a FTP server in Beijing and the same environment, we can access the FTP with Filezilla client, but we can pass test on http://ftptest.net, Weired
According to the article i list, the author think it won't be success if i use FTPS, realy?
https://learningnetwork.cisco.com/docs/DOC-8774
Does any one can help me to troubleshoot the problem?
Thanks in advance.
Bruce