550 No connections allowed from your IP

[mletendre]

We have a partner company that is using FTP to access and share data on our network through the ASA 5505. The FTP server is just a desktop running Filezilla Server.

On the ASA I just created a NAT rule to point 1 external IP to that desktop running Filezilla

They had been doing fine for months, and then started using other machines within their company and are now getting errors. from their CMD prompt:
C:\Dociments and Settings\Nippon>ftp 173.162.130.XXX
Connected to 173.162.130.xxx
550 No connections allowed from your IP
Connection closed by remote host.

And on the ASA in the logs I found:
Jul 16 2010 08:06:55 106015 12.20.188.10 173.162.130.xxx Deny TCP (no connection) from 12.20.188.xxx/44254 to 173.162.130.xxx/21 flags ACK on interface outside

I have done the packet tracer on the ASA and it seemed to work fine.

I also created a rule with their IP specifically but nothing works. Any suggestions?

 

[NetRx]

Can you post a scrubbed config from the ASA?

That log file usually means that the initial SYN packet was not received by the FTP server.

 

[mletendre]

scrubbing config? sorry I am not sure what you mean....

 

[NetRx]

Enter the following and post the results:

ASA#show run

'Scrubbed config' means remove any public IP address information. For example, if you have a public IP of 172.1.1.1 on an interface, change it to 172.1.x.x. Also 'star' out any passwords/keys, i.e. change 'key myPubKey' to 'key *****'.

 

[mletendre]

ASA Version 7.2(3)
!
hostname xxxxx
domain-name xxx.local
enable password 2xxxxxxxxxx encrypted
no names
ddns update method Update
ddns both
interval maximum 0 3 0 0
!
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 173.162.xxx.xxx 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 12
!
passwd xxxxxxx encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 68.87.xxx.xxx
name-server 68.87.xxx.xxx
domain-name xxxxxx.local
dns server-group Primary
name-server 68.87.xxx.xxx
name-server 68.67.xxx.xxx
access-list http-list extended permit ip any any
access-list inbound extended permit tcp any host 173.162.xxx.xxx eq 3389
access-list inbound extended permit ip any host 173.162.xxx.xxx
access-list inbound extended permit tcp any host 173.162.xxx.xxx
access-list inbound extended permit icmp any any
access-list inbound extended permit ip any host 173.162.xxx.xxx
access-list inbound extended permit tcp any host 173.162.xxx.xxx
access-list inbound extended permit tcp any host 173.162.xxx.xx eq 3389
access-list inbound extended permit ip any any
access-list inbound extended permit tcp any host 173.162.xxx.xxx eq 3389
access-list inbound extended permit ip host 12.20.xxx.xxx host 173.xxx.xxx.xxx
access-list inbound extended permit tcp host 12.20.xxx.xxx host 173.162.xxx.xxx
access-list inside_nat0_outbound extended permit ip any host 192.168.xxx.xxx
access-list capture1 extended permit ip any host 75.150.xxx.xxx
access-list capture1 extended permit ip host 75.150.xxx.xxx any
access-list inside_nat0_outbound_1 extended permit ip any 192.168.xxx.xxx 255.255.255.0
!
tcp-map tmap
exceed-mss allow
!
pager lines 12
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool nsa 192.168.1.100-192.168.1.140 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 173.162.xxx.xxx 192.168.1.52 netmask 255.255.255.255
static (inside,outside) 173.162.xxx.xxx 192.168.1.7 netmask 255.255.255.255
static (inside,outside) 173.162.xxx.xxx 192.168.1.141 netmask 255.255.255.255
static (inside,outside) 173.162.xxx.xxx 192.168.1.53 netmask 255.255.255.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 173.162.xxx.xxx 1
!
router rip
network 192.168.1.0
network 192.168.2.0
version 2
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 160 set pfs
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto ca trustpoint remote
enrollment terminal
password *
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
client-update enable
telnet 192.168.1.131 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd wins 192.168.1.141
!
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd dns 192.168.1.141 68.87.xxx.xxx interface inside
dhcpd wins 192.168.1.141 interface inside
dhcpd update dns both interface inside
!
dhcprelay server 192.168.1.31 inside

!
class-map http
match access-list http-list
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 2000
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class http
set connection advanced-options tmap
!
service-policy global_policy global
group-policy nsaremote internal
group-policy nsaremote attributes
wins-server value 192.168.1.xxx
dns-server value 192.168.1.31 68.87.xxx.xxx
vpn-tunnel-protocol IPSec
default-domain value xxx.local
nem enable
client-firewall none
username rsteele password xxxxxx encrypted privilege 0
username xxxx attributes
vpn-group-policy xxxxx
vpn-access-hours none
vpn-framed-ip-address 192.168.1.23 255.255.255.0
username xxx password xxxxxxxx encrypted
username xxx attributes
vpn-group-policy xxxxxxxx
vpn-framed-ip-address 192.168.1.29 255.255.255.0
tunnel-group xxxxxe type ipsec-ra
tunnel-group xxxxxe general-attributes
address-pool xx
authorization-server-group LOCAL
default-group-policy xxxxx
dhcp-server 192.168.1.31
tunnel-group xxxxxxxxxxx ipsec-attributes
pre-shared-key *
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:39774cd191093d0acc1f194b65baf4eb
: end

 

[NetRx]

Your config looks fine. Maybe there is an IP block for that address on FileZilla server?

See below:

http://forum.filezilla-project.org/viewtopic.php?f=6&t=3625

 

[mletendre]

nothing is in my ban or filter list, i even tried restarting filezilla server.

I just had someone else try it and they got the same thing...

6 Jul 20 2010 07:20:26 106015 150.70.xxx.xxx 173.162.xxx.xxx Deny TCP (no connection) from 150.70.xxx.xxx/443 to 173.162.xxx.xxx/4333 flags ACK on interface outside

 

[mletendre]

maybe that was a false read out on the asa because I walked her through it and she got in

 

[mletendre]

Oh the message with the 150.70.85.194 wasnt her IP, it was for Trend Micro (antivirus)

Hmm I should make sure Trend Micro isnt being blocked either

 

[NetRx]

I would say you could rule the ASA out at this point. You can also try simple telnet/FTP tests from inside the network and outside to isolate:

From inside host (not going through ASA)
-----------------
telnet <private IP address> 21

From outside host (going through ASA)
-----------------
telnet <public IP address> 21

Try the same FTP command from an inside host too.

Rich
Network Engineer - CCNA