Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Can't connect to FTP site on Internet

Unanswered Question

ASA version 8.0(2).

For testing I have removed all ACLs on the inside and outside interface. The problem is only from the Windows FTP client - works fine from other clients such as Internet Explorer FTP.

I believe the problem has to do with the Windows FTP client using active mode and the Internet Explorer FTP client using passive mode.

Is there a way to allow active mode FTP through the ASA, or do I have to stick with passive mode clients such as IE?


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect icmp

inspect ftp




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
whisperwind Mon, 10/08/2007 - 16:06
User Badges:

I believe your correct about passive / active. The inspect command allows for passive FTP, to be permitted.

However in active ftp the client tells the server to talk to me on port 123 and the server attempts to connect, but since there is not a translation for that it is denied, check your logs I suspect you will see this reported there.

The only way i have found to allow active is to explicitly allow it via a ACL rule.

IMO passive is more secure than active so if possible only allow passive to traverse your firewall.

whisperwind Mon, 10/08/2007 - 16:36
User Badges:

Not if you allow it explicitly from the outside to the client inside that must have it ;-)

Is this what the ACL would look like?

access-list OutsideIn extended permit tcp any eq ftp-data host

Because the client is sitting behind PAT, packets arriving from the Internet on my outside interface will not be addressed to the private address - rather the outside address of the ASA.

Am I following you?

paulnigel Tue, 12/11/2007 - 01:50
User Badges:

I am hitting into the same problem too, when i do this on the access-list insideout,

access-list insideout permit tcp any any

it works, but is there a better way?


This Discussion