两个 Cisco ASA 5505 之间的主动和被动 FTP

两个 Cisco ASA 5505 之间的主动和被动 FTP

我的一位客户有一台处于主动模式的 IIS 7 FTP 服务器,位于 Cisco ASA 5505 后面。此设置效果良好,因为外部客户端(在 IE 设置上得到指示后)能够毫无问题地连接到 FTP 服务器。Windows 中的命令行 FTP 和设置为主动模式的 FileZilla 也按预期工作。

该客户的姊妹公司现在有用户尝试连接,但无法连接。即使 IE 配置正确且 FileZilla 设置为 Active 也是如此。似乎命令通道有时会建立连接,但数据通道总是失败。这家姊妹公司也使用 Cisco ASA 5505。我确信问题出在他们的 ASA 配置上。

如下面的配置片段所示,他们的 ASA 启用了“ftp 模式被动”全局配置选项,我非常确定这就是问题所在。我正在尝试弄清楚建议他们向配置中添加哪些配置,但我真的很希望得到建议...我是 ASA 新手,仍在努力熟悉它。

ASAVersion7.2(2)

!

**ftpmodepassive**

clocktimezoneEST-5

clocksummer-timeEDTrecurring

dnsserver-groupDefaultDNS

domain-namevbllc.com

same-security-trafficpermitinter-interface

same-security-trafficpermitintra-interface

access-listnonatextendedpermitip10.0.4.0255.255.255.0192.168.255.0255.255.255.0

access-listnonatextendedpermitip10.0.4.0255.255.255.010.0.0.0255.255.255.0

access-listnonatextendedpermitip10.0.4.0255.255.255.010.0.5.0255.255.255.0

access-listnonatextendedpermitipany10.0.14.0255.255.255.128

access-listny-vpnextendedpermitip10.0.4.0255.255.255.010.0.0.0255.255.255.0

access-listny-vpnextendedpermitip192.168.255.0255.255.255.010.0.0.0255.255.255.0

access-listacl_outside2extendedpermiticmpanyany

access-listacl_outside2extendedpermitiphost66.117.119.221host216.143.137.27

access-listacl_outside2extendedpermitiphost66.117.119.214host216.143.137.27

access-listOutsideNew_40_cryptomapextendedpermitip10.0.4.0255.255.255.010.0.5.0255.255.255.0

access-listOutsideOld_access_inextendedpermiticmpanyany

access-listSplitTunnel_splitTunnelAclstandardpermitany

access-listacl_outside_fiberextendedpermiticmpanyany

nopager

loggingenable

loggingbuffer-size10000

loggingbufferednotifications

loggingasdminformational

mtuOutsideOld1500

mtuInside1500

mtutest11500

mtuOutsideNew1500

mtuOutsideFiber1500

mtumanagement1500

iplocalpoolvpn192.168.255.1-192.168.255.254

iplocalpoolSplitTunnel10.0.14.50-10.0.14.99

icmpunreachablerate-limit1burst-size1

icmppermitanyOutsideOld

icmppermitanyInside

icmppermitanyOutsideNew

icmppermitanyOutsideFiber

asdmimagedisk0:/asdm-522.bin


noasdmhistoryenable

arptimeout14400

global(OutsideOld)1interface

global(OutsideNew)1interface

global(OutsideFiber)1interface

nat(Inside)0access-listnonat

nat(Inside)110.0.4.0255.255.255.0

static(Inside,OutsideNew)216.143.137.2710.0.4.5netmask255.255.255.255

access-groupOutsideOld_access_inininterfaceOutsideOld

access-groupacl_outside2ininterfaceOutsideNew

access-groupacl_outside_fiberininterfaceOutsideFiber

routeOutsideFiber0.0.0.00.0.0.065.220.55.2091track1

routeOutsideOld0.0.0.00.0.0.063.139.135.161100

routeInside152.179.153.229255.255.255.25510.0.4.110

routeOutsideNew208.110.65.18255.255.255.255216.143.137.251

routeOutsideNew0.0.0.00.0.0.0216.143.137.2550

routeOutsideFiber152.179.153.229255.255.255.25565.220.55.2091

timeoutxlate3:00:00

timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02

timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcp-pat0:05:00

timeoutsip0:30:00sip_media0:02:00sip-invite0:03:00sip-disconnect0:02:00

timeoutuauth0:05:00absolute

group-policySplitTunnelinternal

group-policySplitTunnelattributes

wins-servervalue10.0.4.3

dns-servervalue10.0.4.310.0.4.4

vpn-tunnel-protocolIPSec

split-tunnel-policytunnelspecified

split-tunnel-network-listvalueSplitTunnel_splitTunnelAcl

default-domainvaluevbllc.com

group-policyremotevpninternal

group-policyremotevpnattributes

wins-servervalue10.0.4.310.0.0.2

dns-servervalue10.0.4.310.0.0.2

答案1

三件事...

  • 这是一个非常旧的 Cisco ASA 软件版本。如果这些是新设备,它们应该附带一张包含较新软件和 GUI 实用程序的 CD(特别是作为一个自动化测试与测试系统软件图像)。

  • 由于 Cisco 防火墙具有协议感知功能(并检查数据包),因此您可以fixup protocol ftp 21在两个 ASA 防火墙上运行命令来启用通过它们的 ftp 传输。

  • 对于 Cisco 防火墙初学者,我建议使用 ASDM 图形界面。当然,随着当前安装的软件版本的更新,此功能会得到增强...

相关内容