Active FTP on asa 5520

Unanswered Question
Jun 10th, 2008
User Badges:

Please, i am having a problem using active FTP from an internal machine to an external FTP Server. sometimes it works and sometimes it doesnt. I have tried the following options but with no luck

1) permit traffic from external server with source port 21 to inside

2) use the no ftp mode passive

3) ust the inspect FTP in the global policy

4)Static nat for the client and access-list allowing server to translated client IP address

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Tue, 06/10/2008 - 12:14
User Badges:
  • Red, 2250 points or more

I will try to comment on your steps


1) This ACL is not at all required, when the Active FTP session begins, the control connection is initiated by the FTP client (on the inside) with a random source port greater than 1023, and the destination port is 21. This traffic will be automatically allowed back by the ASA State algorithm, the problem is the 'port 20' connection, initiated by the FTP server with source port = 20 and destination port = client's initial random source port + 1. For more details have a look at this link:


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml#tshoot


2) only applies to ASA generated traffic


3) This should work actually......


4) This is better if you are combining it with option one (But use proper source port 20 ACL and not source port 21), but to be honest , option 3 should be good enough.


Regards


Farrukh


o.ilesanmi Wed, 06/11/2008 - 02:27
User Badges:

It doesnt work with any of these options.

It connects to the FTP server but it doesn't list the directories


Farrukh Haroon Wed, 06/11/2008 - 02:55
User Badges:
  • Red, 2250 points or more

What traffic is being denied on your OUTSIDE access-list?


Also are you using a browser to connect or a specific FTP client?


Regards


Farrukh

o.ilesanmi Wed, 06/11/2008 - 05:12
User Badges:

Thanks for the responses

We were able to get it up and running. It was an application layer issue. The Client box uses passive FTP mode by default. This worked as soon as it was turned off and its been working ever since

Farrukh Haroon Wed, 06/11/2008 - 05:19
User Badges:
  • Red, 2250 points or more

Ok great you have it working now


Thats why I was asking you about your client :)


Regards


Farrukh

Actions

This Discussion