10 Replies Latest reply: Jul 21, 2016 7:33 PM by Robert RSS

    Active mode FTP showing destination port of 20?

    Robert

      Hi All,

       

      I was looking at the log buffer on ASDM while messing around with FTP and noticed that when in active mode, both TCP connections are client to server. The client is at 172.16.0.3 and the Server is at 10.0.0.3. Here is a screenshot of the log buffer -

       

      FTP ASDM.JPG

       

      Does anyone know why it is showing like this? The second TCP connection should be initiated by the server from port 20, not from the client to port 20.

       

      When in passive mode, the logging shows as I would expect. I can't figure out why this is happening...

       

      Any ideas?

       

      Kind Regards,

      Robert

        • 1. Re: Active mode FTP showing destination port of 20?
          Juergen Ilse CCNA R&S

          Have you configured "ftp mode passive" in your ASA? I think, that is part of the "factory default configuration" and it is very often part of the configuration of ASA configuration files ... So, i tried it with my ASA (which has the line "ftp mode passive" in its configuration) and i see, that with ftp in active mode (client is inside) the data-connection is established between port 20 of the server and a high port of the client, while with passive ftp, the data connection gets established between high ports on server and on client. But i see all data-connections as "outbound" connections:

           

          active ftp:

          Jul 13 23:16:30 ilse-asa : %ASA-6-302013: Built outbound TCP connection 2654156 for outside:62.48.88.90/20 (62.48.88.90/20) to inside:62.48.88.2/48791 (62.48.88.2/48791)

           

          passive ftp:

          Jul 13 23:20:02 ilse-asa : %ASA-6-302013: Built outbound TCP connection 2654291 for outside:62.48.88.90/33646 (62.48.88.90/33646) to inside:62.48.88.2/53097 (62.48.88.2/53097)

           

          So i have no explanation for what you saw in asdm. Are you really sure, that you used active ftp?

          • 2. Re: Active mode FTP showing destination port of 20?
            Robert

            Hi Juergen,

             

            Thanks for the reply. Sorry I didn't make it clear in my original post, the FTP connection is going through the ASA, not to it. Here is the network-

             

            network.JPG

             

            The FTP connection is going from the Linux Server (172.16.0.3) to the FTP server running on the Windows 7 machine (10.0.0.3). This is terminal getting the file hello.txt from the Windows 7 box -

             

            Linux Ter.JPG

             

            Passive mode is definitely off.

             

            I checked the log in ASDM again and it was the same result -

             

            Example transfer.JPG

             

            Really can't understand why it is showing like this....

             

            Any help trying to figure this out would be greatly appreciated.

             

            Regards,

            Robert

            • 3. Re: Active mode FTP showing destination port of 20?
              Juergen Ilse CCNA R&S

              The cited logs were also for FTP through the ASA, not FTP to the ASA. The ASA in this scenario had the IP address 62.48.88.1.

              • 4. Re: Active mode FTP showing destination port of 20?
                Ismael da Silva Mariano

                        Hello,folks! How are you doing?

                 

                        Robert,

                 

                        Could you please configure a capture in  ASA ?

                 

                        First capture traffic at DMZ interface , next at INSIDE. With WireShark we will see if ASA is doing something different with client´s request.

                 

                        Cheers!

                • 5. Re: Active mode FTP showing destination port of 20?
                  Samer

                  Hi,

                   

                  try to use Wireshark on the ftp server and filter the output to only the ip address for traffic coming from 172.16.0.3

                  • 6. Re: Active mode FTP showing destination port of 20?
                    Ismael da Silva Mariano

                             Folks,

                     

                             It is an issue of interpretation, see

                     

                     

                              ASA ASDM knows it is an active tcp connection in favor of 172.16.0.3, so the source is logged always as the client. But the log messages indicates the real direction  of traffic.

                     

                     

                    1) Two messages showing the connection opened by the client request -  open command

                     

                    Teardown  TCP connection 133 for DMZ:172.16.0.3/52674 to INSIDE:10.0.0.3/20  duration 0:00:00 bytes 12 TCP FINs


                             SYSLOG ID 302014

                              Event - Connection accepted

                              Direction - Client ---> Server  on port 20 ( control)

                     

                    Built INBOUND TCP connection 133 for DMZ:172.16.0.3/52674 (172.16.0.3/52674) to INSIDE:10.0.0.3/20 (10.0.0.3/20)


                            SYSLOG ID 302013

                             Event - Connection accepted

                             Direction - Client ---> Server on port 20 ( control) ---> INBOUND ( From DMZ to INSIDE)




                    2) Two messages showing the FTP transfer by the client - GET command


                    FTP connection from DMZ:172.16.0.3/50888 to INSIDE 10.0.0.1/21 user ROBERT retrieved file hello.txt

                     

                            SYSLOG ID 303002

                             Event - FTP Connection

                             Direction - Client ---> Server on port 21 ( data) ---> INBOUND ( From DMZ to INSIDE)

                     


                    Built INBOUND TCP connection 130 for DMZ:172.16.0.3/50888 (172.16.0.3/50888) to INSIDE:10.0.0.3/21 (10.0.0.3/21)


                           SYSLOG ID 302013

                            Event -  Connection  accepted

                            Direction -   Client ---> Server on port 21 ( data) ---> INBOUND ( From DMZ to INSIDE)


                     

                    Sources :

                     

                     

                    https://docs.tibco.com/pub/loglogic_log_source_packages/23.0.0_march_2012/Documentation/LSCG_CiscoASA.pdf

                    Troubleshoot Connections through the PIX and ASA - Cisco

                     

                     

                           Cheers!

                    • 7. Re: Active mode FTP showing destination port of 20?
                      Ismael da Silva Mariano

                               Hey!

                       

                               Another thing came in my mind.

                               The ftp data connection is permitted because of stateful inspection rule. There are no rules expliciting enabling it. Maybe if you put a rule explicitly permitting traffic from the server and enable logging , ASA will log this traffic also.

                       

                           Cheers!

                      • 8. Re: Active mode FTP showing destination port of 20?
                        John_B

                        What version are you on? I just rolled back a ASA5516 to fix a logging issue. The ASA didn't see my management interface as a connected route. It was not reaching my logging server. I went from 9.5(2)10 to 9.4(7).

                        • 9. Re: Active mode FTP showing destination port of 20?
                          Juergen Ilse CCNA R&S

                          John_B schrieb:

                           

                          What version are you on? I justIf i remember co rolled back a ASA5516 to fix a logging issue. The ASA didn't see my management interface as a connected route. It was not reaching my logging server. I went from 9.5(2)10 to 9.4(7).

                          If i remember correctly, a documented change of firmware 9.5 was, that the management interface is in a seperate VRF since the version, but i never used 9.5 or above until now.

                          • 10. Re: Active mode FTP showing destination port of 20?
                            Robert

                            Hi All,

                             

                            Apologies for the late reply, really appreciate all of your responses.


                            I used Wireshark to monitor the traffic as Samer and Ismael suggested and this confirmed traffic was flowing as expected, the ftp data going from 10.0.0.3:20 to 172.16.0.3:(ephemeral port).

                             

                            Turns out the reason it was displaying weird in ASDM logging was due to stateful inspection of FTP as Ismael described in comment #7.

                             

                            I disable inspection of FTP in the global service policy and allowed all IP traffic between the INSIDE and DMZ, this is then what the logs looked like -

                             

                            FTP correct.JPG

                             

                            This is now showing as I would have expected.

                             

                            Thanks again everyone for all your help.

                             

                            Regards,
                            Robert