06-10-2008 06:56 AM
Please, i am having a problem using active FTP from an internal machine to an external FTP Server. sometimes it works and sometimes it doesnt. I have tried the following options but with no luck
1) permit traffic from external server with source port 21 to inside
2) use the no ftp mode passive
3) ust the inspect FTP in the global policy
4)Static nat for the client and access-list allowing server to translated client IP address
06-10-2008 12:14 PM
I will try to comment on your steps
1) This ACL is not at all required, when the Active FTP session begins, the control connection is initiated by the FTP client (on the inside) with a random source port greater than 1023, and the destination port is 21. This traffic will be automatically allowed back by the ASA State algorithm, the problem is the 'port 20' connection, initiated by the FTP server with source port = 20 and destination port = client's initial random source port + 1. For more details have a look at this link:
2) only applies to ASA generated traffic
3) This should work actually......
4) This is better if you are combining it with option one (But use proper source port 20 ACL and not source port 21), but to be honest , option 3 should be good enough.
Regards
Farrukh
06-11-2008 02:27 AM
It doesnt work with any of these options.
It connects to the FTP server but it doesn't list the directories
06-11-2008 02:55 AM
What traffic is being denied on your OUTSIDE access-list?
Also are you using a browser to connect or a specific FTP client?
Regards
Farrukh
06-11-2008 05:12 AM
Thanks for the responses
We were able to get it up and running. It was an application layer issue. The Client box uses passive FTP mode by default. This worked as soon as it was turned off and its been working ever since
06-11-2008 05:19 AM
Ok great you have it working now
Thats why I was asking you about your client :)
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: