我的一位客户有一台处于主动模式的 IIS 7 FTP 服务器,位于 Cisco ASA 5505 后面。此设置效果良好,因为外部客户端(在 IE 设置上得到指示后)能够毫无问题地连接到 FTP 服务器。Windows 中的命令行 FTP 和设置为主动模式的 FileZilla 也按预期工作。
该客户的姊妹公司现在有用户尝试连接,但无法连接。即使 IE 配置正确且 FileZilla 设置为 Active 也是如此。似乎命令通道有时会建立连接,但数据通道总是失败。这家姊妹公司也使用 Cisco ASA 5505。我确信问题出在他们的 ASA 配置上。
如下面的配置片段所示,他们的 ASA 启用了“ftp 模式被动”全局配置选项,我非常确定这就是问题所在。我正在尝试弄清楚建议他们向配置中添加哪些配置,但我真的很希望得到建议...我是 ASA 新手,仍在努力熟悉它。
ASAVersion7.2(2)
!
**ftpmodepassive**
clocktimezoneEST-5
clocksummer-timeEDTrecurring
dnsserver-groupDefaultDNS
domain-namevbllc.com
same-security-trafficpermitinter-interface
same-security-trafficpermitintra-interface
access-listnonatextendedpermitip10.0.4.0255.255.255.0192.168.255.0255.255.255.0
access-listnonatextendedpermitip10.0.4.0255.255.255.010.0.0.0255.255.255.0
access-listnonatextendedpermitip10.0.4.0255.255.255.010.0.5.0255.255.255.0
access-listnonatextendedpermitipany10.0.14.0255.255.255.128
access-listny-vpnextendedpermitip10.0.4.0255.255.255.010.0.0.0255.255.255.0
access-listny-vpnextendedpermitip192.168.255.0255.255.255.010.0.0.0255.255.255.0
access-listacl_outside2extendedpermiticmpanyany
access-listacl_outside2extendedpermitiphost66.117.119.221host216.143.137.27
access-listacl_outside2extendedpermitiphost66.117.119.214host216.143.137.27
access-listOutsideNew_40_cryptomapextendedpermitip10.0.4.0255.255.255.010.0.5.0255.255.255.0
access-listOutsideOld_access_inextendedpermiticmpanyany
access-listSplitTunnel_splitTunnelAclstandardpermitany
access-listacl_outside_fiberextendedpermiticmpanyany
nopager
loggingenable
loggingbuffer-size10000
loggingbufferednotifications
loggingasdminformational
mtuOutsideOld1500
mtuInside1500
mtutest11500
mtuOutsideNew1500
mtuOutsideFiber1500
mtumanagement1500
iplocalpoolvpn192.168.255.1-192.168.255.254
iplocalpoolSplitTunnel10.0.14.50-10.0.14.99
icmpunreachablerate-limit1burst-size1
icmppermitanyOutsideOld
icmppermitanyInside
icmppermitanyOutsideNew
icmppermitanyOutsideFiber
asdmimagedisk0:/asdm-522.bin
noasdmhistoryenable
arptimeout14400
global(OutsideOld)1interface
global(OutsideNew)1interface
global(OutsideFiber)1interface
nat(Inside)0access-listnonat
nat(Inside)110.0.4.0255.255.255.0
static(Inside,OutsideNew)216.143.137.2710.0.4.5netmask255.255.255.255
access-groupOutsideOld_access_inininterfaceOutsideOld
access-groupacl_outside2ininterfaceOutsideNew
access-groupacl_outside_fiberininterfaceOutsideFiber
routeOutsideFiber0.0.0.00.0.0.065.220.55.2091track1
routeOutsideOld0.0.0.00.0.0.063.139.135.161100
routeInside152.179.153.229255.255.255.25510.0.4.110
routeOutsideNew208.110.65.18255.255.255.255216.143.137.251
routeOutsideNew0.0.0.00.0.0.0216.143.137.2550
routeOutsideFiber152.179.153.229255.255.255.25565.220.55.2091
timeoutxlate3:00:00
timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02
timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcp-pat0:05:00
timeoutsip0:30:00sip_media0:02:00sip-invite0:03:00sip-disconnect0:02:00
timeoutuauth0:05:00absolute
group-policySplitTunnelinternal
group-policySplitTunnelattributes
wins-servervalue10.0.4.3
dns-servervalue10.0.4.310.0.4.4
vpn-tunnel-protocolIPSec
split-tunnel-policytunnelspecified
split-tunnel-network-listvalueSplitTunnel_splitTunnelAcl
default-domainvaluevbllc.com
group-policyremotevpninternal
group-policyremotevpnattributes
wins-servervalue10.0.4.310.0.0.2
dns-servervalue10.0.4.310.0.0.2
答案1
三件事...
这是一个非常旧的 Cisco ASA 软件版本。如果这些是新设备,它们应该附带一张包含较新软件和 GUI 实用程序的 CD(特别是作为一个和自动化测试与测试系统软件图像)。
由于 Cisco 防火墙具有协议感知功能(并检查数据包),因此您可以
fixup protocol ftp 21
在两个 ASA 防火墙上运行命令来启用通过它们的 ftp 传输。对于 Cisco 防火墙初学者,我建议使用 ASDM 图形界面。当然,随着当前安装的软件版本的更新,此功能会得到增强...