cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
662
Views
0
Helpful
5
Replies

Can't connect to FTP site on Internet

tom.gill
Level 1
Level 1

ASA version 8.0(2).

For testing I have removed all ACLs on the inside and outside interface. The problem is only from the Windows FTP client - works fine from other clients such as Internet Explorer FTP.

I believe the problem has to do with the Windows FTP client using active mode and the Internet Explorer FTP client using passive mode.

Is there a way to allow active mode FTP through the ASA, or do I have to stick with passive mode clients such as IE?

************

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect icmp

inspect ftp

!

************

Thanks!

5 Replies 5

whisperwind
Level 1
Level 1

I believe your correct about passive / active. The inspect command allows for passive FTP, to be permitted.

However in active ftp the client tells the server to talk to me on port 123 and the server attempts to connect, but since there is not a translation for that it is denied, check your logs I suspect you will see this reported there.

The only way i have found to allow active is to explicitly allow it via a ACL rule.

IMO passive is more secure than active so if possible only allow passive to traverse your firewall.

Thanks for the reply. If I were to allow this explicitly via an ACL, wouldn't the data connection from the server on the Internet still fail due to lack of a translation?

Tom

Not if you allow it explicitly from the outside to the client inside that must have it ;-)

Is this what the ACL would look like?

access-list OutsideIn extended permit tcp any eq ftp-data host 192.168.1.100

Because the client is sitting behind PAT, packets arriving from the Internet on my outside interface will not be addressed to the private address - rather the outside address of the ASA.

Am I following you?

I am hitting into the same problem too, when i do this on the access-list insideout,

access-list insideout permit tcp any any

it works, but is there a better way?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: