我的一个客户端有一个处于主动模式的IIS 7 FTP服务器,位于Cisco ASA 5505的后面。由于外部客户端(一旦指示了IE设置)就可以正常连接到FTP服务器,因此这种设置是已知的。 Windows中的命令行FTP和FileZilla设置为活动模式也按预期工作。
这个客户的姊妹公司现在有用户试图连接,但无法。 即使IEconfiguration正确,FileZilla设置为“活动”。 似乎命令通道有时会build立连接,但数据通道总是失败。 这个姊妹公司也使用Cisco ASA 5505.我确定这个问题是他们的ASA的configuration。
如下面的configuration代码片段所示,他们的ASA启用了“ftp mode passive”全局configuration选项,我很确定这是问题所在。 我试图找出什么configurationbuild议,他们添加到他们的configuration,但我真的很感激的build议…我是一个ASA新手,仍然试图加快速度的事情。
ASAVersion7.2(2) ! **ftpmodepassive** clocktimezoneEST-5 clocksummer-timeEDTrecurring dnsserver-groupDefaultDNS domain-namevbllc.com same-security-trafficpermitinter-interface same-security-trafficpermitintra-interface access-listnonatextendedpermitip10.0.4.0255.255.255.0192.168.255.0255.255.255.0 access-listnonatextendedpermitip10.0.4.0255.255.255.010.0.0.0255.255.255.0 access-listnonatextendedpermitip10.0.4.0255.255.255.010.0.5.0255.255.255.0 access-listnonatextendedpermitipany10.0.14.0255.255.255.128 access-listny-vpnextendedpermitip10.0.4.0255.255.255.010.0.0.0255.255.255.0 access-listny-vpnextendedpermitip192.168.255.0255.255.255.010.0.0.0255.255.255.0 access-listacl_outside2extendedpermiticmpanyany access-listacl_outside2extendedpermitiphost66.117.119.221host216.143.137.27 access-listacl_outside2extendedpermitiphost66.117.119.214host216.143.137.27 access-listOutsideNew_40_cryptomapextendedpermitip10.0.4.0255.255.255.010.0.5.0255.255.255.0 access-listOutsideOld_access_inextendedpermiticmpanyany access-listSplitTunnel_splitTunnelAclstandardpermitany access-listacl_outside_fiberextendedpermiticmpanyany nopager loggingenable loggingbuffer-size10000 loggingbufferednotifications loggingasdminformational mtuOutsideOld1500 mtuInside1500 mtutest11500 mtuOutsideNew1500 mtuOutsideFiber1500 mtumanagement1500 iplocalpoolvpn192.168.255.1-192.168.255.254 iplocalpoolSplitTunnel10.0.14.50-10.0.14.99 icmpunreachablerate-limit1burst-size1 icmppermitanyOutsideOld icmppermitanyInside icmppermitanyOutsideNew icmppermitanyOutsideFiber asdmimagedisk0:/asdm-522.bin noasdmhistoryenable arptimeout14400 global(OutsideOld)1interface global(OutsideNew)1interface global(OutsideFiber)1interface nat(Inside)0access-listnonat nat(Inside)110.0.4.0255.255.255.0 static(Inside,OutsideNew)216.143.137.2710.0.4.5netmask255.255.255.255 access-groupOutsideOld_access_inininterfaceOutsideOld access-groupacl_outside2ininterfaceOutsideNew access-groupacl_outside_fiberininterfaceOutsideFiber routeOutsideFiber0.0.0.00.0.0.065.220.55.2091track1 routeOutsideOld0.0.0.00.0.0.063.139.135.161100 routeInside152.179.153.229255.255.255.25510.0.4.110 routeOutsideNew208.110.65.18255.255.255.255216.143.137.251 routeOutsideNew0.0.0.00.0.0.0216.143.137.2550 routeOutsideFiber152.179.153.229255.255.255.25565.220.55.2091 timeoutxlate3:00:00 timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02 timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcp-pat0:05:00 timeoutsip0:30:00sip_media0:02:00sip-invite0:03:00sip-disconnect0:02:00 timeoutuauth0:05:00absolute group-policySplitTunnelinternal group-policySplitTunnelattributes wins-servervalue10.0.4.3 dns-servervalue10.0.4.310.0.4.4 vpn-tunnel-protocolIPSec split-tunnel-policytunnelspecified split-tunnel-network-listvalueSplitTunnel_splitTunnelAcl default-domainvaluevbllc.com group-policyremotevpninternal group-policyremotevpnattributes wins-servervalue10.0.4.310.0.0.2 dns-servervalue10.0.4.310.0.0.2 三件事…
这是一个非常古老的思科ASA软件版本。 如果这些设备是新设备,则应该附带包含较新软件和GUI实用程序(特别是ASA和ASDM软件映像)的CD。
由于思科防火墙可以识别协议(并检查数据包),因此可以通过在两个ASA防火墙上运行fixup protocol ftp 21命令来启用ftp传输。
对于思科防火墙初学者,我build议使用ASDMgraphics界面。 当然,这是增加了新的软件版本,目前安装…