Passive FTP and FWSM

Unanswered Question
Jan 7th, 2008

I'm having trouble opening a passive FTP connection between two hosts, both of which are behind firewalls and NAT'd. The FTP inspection on my end is properly inspecting the FTP traffic and is therefore seeing the "REAL" IP address as a result of the passive mode request. I believe that the firewall is therefore dropping the request because the address is different, (not the NAT Address). I can't turn off FTP Inspection because it would kill the ability to create active FTP sessions.

Is there a way to make a custom FTP Inspection rule that would allow a passive mode connection. Both hosts are behind Cisco Devices, is there some fix or workaround for this problem. BTW the warning message is:

33406002FTP port command different address: to on interface outside

I changed the IP's to protect the "not so innocent".


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
amritpatek Fri, 01/11/2008 - 14:30

With passive ftp the client should specify the port to be used. Make sure that the FWSM has both "ftp mode passive" and "fixup protocol ftp 21" in the config. Following links may help you

mark.hansel Mon, 01/14/2008 - 09:05

Thanks, I understand what is supposed to happen during a passive FTP session. The problem appears to be that his firewall is not properly inspecting the FTP packet. He does have the global policy enabled, but for whatever reason his NAT device, which I have been told is a Cisco Firewall, is not re-writing the data portion of the 227 response. His box is replying with the non public IP address and my firewall is dropping the connection because it sees the connection as an FTP session hijack.

BTW the "FTP mode passive" command is only applicable to ftp sessions to the FWSM itself for the purpose of upgrading code or loading configuration files. It has no relevance to "external" FTP operations. The "fixup" commands have been replaced using policy statements.

Thanks for the reply.

Ivan Marinovic Thu, 03/03/2016 - 00:43

I have the sam problem with FWSM and FTP. Did you manage to solve this?



This Discussion