I'm having trouble opening a passive FTP connection between two hosts, both of which are behind firewalls and NAT'd. The FTP inspection on my end is properly inspecting the FTP traffic and is therefore seeing the "REAL" IP address as a result of the passive mode request. I believe that the firewall is therefore dropping the request because the address is different, (not the NAT Address). I can't turn off FTP Inspection because it would kill the ability to create active FTP sessions.
Is there a way to make a custom FTP Inspection rule that would allow a passive mode connection. Both hosts are behind Cisco Devices, is there some fix or workaround for this problem. BTW the warning message is:
33406002FTP port command different address: 100.100.200.5(100.100.100.1) to 10.0.8.139 on interface outside
I changed the IP's to protect the "not so innocent".