两台Cisco ASA 5505之间的主动和被动FTP
两台Cisco ASA 5505之间的主动和被动FTP
提问于 2013-02-14 04:26:20
我的一个客户端在Cisco ASA 5505后面有一个处于活动模式的IIS 7 FTP服务器。这种设置是很好的,因为外部客户端(一旦对IE设置进行了指示)能够连接到FTP服务器,而不会出现问题。在Windows和FileZilla中设置为活动模式的命令行FTP也按预期工作.
这个客户的姐妹公司现在有用户试图连接,但无法连接。即使IE被正确配置并且FileZilla被设置为Active。看起来命令通道有时会建立连接,但是数据通道总是失败。这家姐妹公司还使用思科公司ASA 5505。我确信问题是他们的ASA的配置。
如下面的配置片段所示,他们的ASA启用了"ftp模式被动“全局配置选项,并且非常肯定这就是问题所在。我试图找出什么配置建议,他们添加到他们的配置,但我真的很感激的建议.我是个新手,还在努力跟上进度。
ASAVersion7.2(2)
!
**ftpmodepassive**
clocktimezoneEST-5
clocksummer-timeEDTrecurring
dnsserver-groupDefaultDNS
domain-namevbllc.com
same-security-trafficpermitinter-interface
same-security-trafficpermitintra-interface
access-listnonatextendedpermitip10.0.4.0255.255.255.0192.168.255.0255.255.255.0
access-listnonatextendedpermitip10.0.4.0255.255.255.010.0.0.0255.255.255.0
access-listnonatextendedpermitip10.0.4.0255.255.255.010.0.5.0255.255.255.0
access-listnonatextendedpermitipany10.0.14.0255.255.255.128
access-listny-vpnextendedpermitip10.0.4.0255.255.255.010.0.0.0255.255.255.0
access-listny-vpnextendedpermitip192.168.255.0255.255.255.010.0.0.0255.255.255.0
access-listacl_outside2extendedpermiticmpanyany
access-listacl_outside2extendedpermitiphost66.117.119.221host216.143.137.27
access-listacl_outside2extendedpermitiphost66.117.119.214host216.143.137.27
access-listOutsideNew_40_cryptomapextendedpermitip10.0.4.0255.255.255.010.0.5.0255.255.255.0
access-listOutsideOld_access_inextendedpermiticmpanyany
access-listSplitTunnel_splitTunnelAclstandardpermitany
access-listacl_outside_fiberextendedpermiticmpanyany
nopager
loggingenable
loggingbuffer-size10000
loggingbufferednotifications
loggingasdminformational
mtuOutsideOld1500
mtuInside1500
mtutest11500
mtuOutsideNew1500
mtuOutsideFiber1500
mtumanagement1500
iplocalpoolvpn192.168.255.1-192.168.255.254
iplocalpoolSplitTunnel10.0.14.50-10.0.14.99
icmpunreachablerate-limit1burst-size1
icmppermitanyOutsideOld
icmppermitanyInside
icmppermitanyOutsideNew
icmppermitanyOutsideFiber
asdmimagedisk0:/asdm-522.bin
noasdmhistoryenable
arptimeout14400
global(OutsideOld)1interface
global(OutsideNew)1interface
global(OutsideFiber)1interface
nat(Inside)0access-listnonat
nat(Inside)110.0.4.0255.255.255.0
static(Inside,OutsideNew)216.143.137.2710.0.4.5netmask255.255.255.255
access-groupOutsideOld_access_inininterfaceOutsideOld
access-groupacl_outside2ininterfaceOutsideNew
access-groupacl_outside_fiberininterfaceOutsideFiber
routeOutsideFiber0.0.0.00.0.0.065.220.55.2091track1
routeOutsideOld0.0.0.00.0.0.063.139.135.161100
routeInside152.179.153.229255.255.255.25510.0.4.110
routeOutsideNew208.110.65.18255.255.255.255216.143.137.251
routeOutsideNew0.0.0.00.0.0.0216.143.137.2550
routeOutsideFiber152.179.153.229255.255.255.25565.220.55.2091
timeoutxlate3:00:00
timeoutconn1:00:00half-closed0:10:00udp0:02:00icmp0:00:02
timeoutsunrpc0:10:00h3230:05:00h2251:00:00mgcp0:05:00mgcp-pat0:05:00
timeoutsip0:30:00sip_media0:02:00sip-invite0:03:00sip-disconnect0:02:00
timeoutuauth0:05:00absolute
group-policySplitTunnelinternal
group-policySplitTunnelattributes
wins-servervalue10.0.4.3
dns-servervalue10.0.4.310.0.4.4
vpn-tunnel-protocolIPSec
split-tunnel-policytunnelspecified
split-tunnel-network-listvalueSplitTunnel_splitTunnelAcl
default-domainvaluevbllc.com
group-policyremotevpninternal
group-policyremotevpnattributes
wins-servervalue10.0.4.310.0.0.2
dns-servervalue10.0.4.310.0.0.2回答 1
Server Fault用户
发布于 2013-02-14 05:32:17
三件事。
- 这是一个非常古老的思科ASA软件版本。如果这些是新设备,它们应该随CD一起提供,其中包含更新的软件和GUI实用程序(特别是ASA和ASDM软件映像)。
- 因为Cisco防火墙是协议感知的(并检查数据包),所以您可以通过在这两个ASA防火墙上运行
fixup protocol ftp 21命令来启用ftp传输。 - 对于Cisco防火墙初学者,我建议使用ASDM图形界面。当然,现在安装的新软件版本会增强这一点.
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/478791
复制相关文章
相似问题
添加站长 进交流群
领取专属 10元无门槛券
AI混元助手 在线答疑
关注 腾讯云开发者公众号
洞察 腾讯核心技术
剖析业界实践案例
腾讯云开发者
