Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA blocking access to FTP server

Status
Not open for further replies.
Sep 28, 2009
10
US
Hello,

I'm in need of assistance and was wondering if someone could help out.

I am setting up a DMZ zone on my ASA-5520. I cannot ping or ftp to the external address from home.

Log viewer shows this when I try to ftp
%PIX|ASA-2-106001: Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_name
This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by your security policy. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the security appliance, and it was dropped. The tcp_flags in this packet are FIN and ACK.

The tcp_flags are as follows:
• ACK—The acknowledgment number was received.
• FIN—Data was sent.
• PSH—The receiver passed data to the application.
• RST—The connection was reset.
• SYN—Sequence numbers were synchronized to start a connection.
• URG—The urgent pointer was declared valid.


Log viewer shows this when I try to ping:
%PIX|ASA-3-106014: Deny inbound icmp src interface_name: IP_address dst interface_name: IP_address (type dec, code dec)
The security appliance denied any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted.

I'm trying to figure out what am I doing wrong with the access rules.

Any assistance would be appreciated
 
Post a config of the ASA.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Below is a copy of the config:ASA Version 8.0(3)6
!
hostname myhost
domain-name rbmc.org
enable password xx
passwd xx
names
name 172.31.0.0 DMZ_zone
name 172.31.0.15 FTP_Server description FTP server in DMZ Zone
dns-guard
!
interface GigabitEthernet0/0
description External Interface
nameif Verizon-ISP
security-level 0
ip address 1.1.1.1 255.255.255.224 standby 1.1.1.2
ospf cost 10
!
interface GigabitEthernet0/1
description LAN/STATE Failover Interface
!
interface GigabitEthernet0/2
description INTERNAL-NET
nameif Internal
security-level 100
ip address 2.2.2.2 255.255.255.0 standby 2.2.2.3
ospf cost 10
!
interface GigabitEthernet0/3
description DMZ Zone
nameif DMZ
security-level 0
ip address 172.31.0.51 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
!
time-range Vendor-Access
periodic Monday 9:00 to Friday 16:00
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Internal
dns server-group DefaultDNS
name-server 10.100.91.5
name-server 10.10.7.149
domain-name rbmc.org

access-list Internal_access_in remark Outbound SSH traffic to Horizon
access-list Internal_access_in extended permit tcp PAD-VLAN10-10.10.x.x 255.255.0.0 object-group Horizone_TumbleWeed_SSH_Access eq ssh
access-list Internal_access_in extended permit tcp any object-group NJIT_WebServer object-group DM_INLINE_TCP_1
access-list Internal_access_in extended permit ip object-group VPN-Tunnel-StatSch-NAT-Group VPNTunnel-StatSchedules-RemoteNet-10.226.152.x 255.255.255.0
access-list DMZ_access_in remark DMZ Zone to Internal
access-list DMZ_access_in extended permit tcp DMZ_zone 255.255.255.0 PAD-VLAN10-10.10.x.x 255.255.0.0 object-group DM_INLINE_TCP_2
access-list DMZ_access_in remark Internal to DMZ
access-list DMZ_access_in extended permit ip PAD-VLAN10-10.10.x.x 255.255.0.0 DMZ_zone 255.255.255.0
pager lines 24
logging enable
logging buffer-size 32000
logging buffered debugging
logging asdm informational
mtu Verizon-ISP 1500
mtu Internal 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm history enable
arp timeout 14400
nat-control
global (Verizon-ISP) 101 65.211.65.21-65.211.65.24 netmask 255.255.255.224
global (Verizon-ISP) 101 interface
global (DMZ) 201 65.211.65.21-65.211.65.24 netmask 255.255.255.224
nat (Internal) 0 access-list nonat
nat (Internal) 101 PAD-VLAN10-10.10.x.x 255.255.0.0
nat (Internal) 101 0.0.0.0 0.0.0.0
static (Internal,Verizon-ISP) VPNTunnel-StatSchedules-NAT-10.236.x.x access-list donat
access-group Verizon-ISP_access_in in interface Verizon-ISP
access-group Internal_access_in in interface Internal
access-group DMZ_access_in in interface DMZ
route Verizon-ISP 0.0.0.0 0.0.0.0 65.211.65.2 1
http server enable
http 0.0.0.0 0.0.0.0 Internal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Verizon-ISP
ssh 0.0.0.0 0.0.0.0 Internal
ssh timeout 60
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top