10-08-2007 11:46 AM - edited 03-11-2019 04:22 AM
ASA version 8.0(2).
For testing I have removed all ACLs on the inside and outside interface. The problem is only from the Windows FTP client - works fine from other clients such as Internet Explorer FTP.
I believe the problem has to do with the Windows FTP client using active mode and the Internet Explorer FTP client using passive mode.
Is there a way to allow active mode FTP through the ASA, or do I have to stick with passive mode clients such as IE?
************
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect icmp
inspect ftp
!
************
Thanks!
10-08-2007 04:06 PM
I believe your correct about passive / active. The inspect command allows for passive FTP, to be permitted.
However in active ftp the client tells the server to talk to me on port 123 and the server attempts to connect, but since there is not a translation for that it is denied, check your logs I suspect you will see this reported there.
The only way i have found to allow active is to explicitly allow it via a ACL rule.
IMO passive is more secure than active so if possible only allow passive to traverse your firewall.
10-08-2007 04:11 PM
Thanks for the reply. If I were to allow this explicitly via an ACL, wouldn't the data connection from the server on the Internet still fail due to lack of a translation?
Tom
10-08-2007 04:36 PM
Not if you allow it explicitly from the outside to the client inside that must have it ;-)
10-08-2007 06:54 PM
Is this what the ACL would look like?
access-list OutsideIn extended permit tcp any eq ftp-data host 192.168.1.100
Because the client is sitting behind PAT, packets arriving from the Internet on my outside interface will not be addressed to the private address - rather the outside address of the ASA.
Am I following you?
12-11-2007 01:50 AM
I am hitting into the same problem too, when i do this on the access-list insideout,
access-list insideout permit tcp any any
it works, but is there a better way?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: