Checkpoint to ASA migration. Problems with pasv ftps.

Unanswered Question
Jun 26th, 2008

Moving from Checkpoint to ASA. Migrated about 20% of my policies earlier this week and had to back out one. ftps from (inside) destined for (prod-outside). Users got error message 500 Illegal PORT range when entering pasv mode...

220 FTP server (Version 6.00LS+TLS) ready.


234 AUTH SSL command successful.

SSL Session Started.

Host type (1): Automatic detect

USER myuser

331 Password required for myuser.

PASS (hidden)

230 User myuser logged in, access restrictions apply.


215 UNIX Type: L8

Host type (2): UNIX (standard)


200 PBSZ command successful (PBSZ=0).


504 PROT command not available in FTP-SSL compatibility mode.


257 "/" is current directory.


200 Type set to A.


227 Entering Passive Mode (65,217,149,5,165,146)

connecting data channel to,146(42386)

PORT 10,60,10,205,11,71

500 Illegal PORT range rejected.

Port failed 500 Illegal PORT range rejected.


221 Goodbye.

Connection closed.

Ftp inspection is enabled. Do I need to exclude this from inspection because it is encrypted? If so, how do I handle the data channel and associated dynamic ports?

Tried fixup protocol ftp 21 based upon feedback in another NetPro discussion.

Also modified policy and nat rules to permit both tcp/ftp and tcp/ftp-data.

I'm new to the ASA and not having much luck with TAC. Most recent feedback from TAC "Let me do some research about it since I am not sure if FTPS is supported on ASA firewalls. I will keep you posted." Any suggestions?

Relevant configuration items.


access-list inside_nat_outbound_1 extended permit tcp net-mynet- host object-group DM_INLINE_TCP_12

nat (inside) 10 access-list inside_nat_outbound_1


access-list from-inside extended permit tcp net-mynet- host object-group DM_INLINE_TCP_13 log warnings

access-group from-inside in interface inside

(DM_INLINE_TCP_12 and DM_INLINE_TCP_13 object-groups include tcp/ftp and tcp/ftp-data)

Inspection Policy...

access-list mss-exceeded-acl extended permit ip any any inactive

class-map mss-exceeded-map

match access-list mss-exceeded-acl

tcp-map mss-exceeded-map

exceed-mss allow

policy-map type inspect dns preset_dns_map


message-length maximum 512


id-mismatch action log

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect http

inspect ils

inspect dns preset_dns_map

inspect ipsec-pass-thru

class mss-exceeded-map

set connection advanced-options mss-exceeded-map


service-policy global_policy global

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
a.alekseev Thu, 06/26/2008 - 14:55

try this

no access-list from-inside extended permit tcp net-mynet- host object-group DM_INLINE_TCP_13 log warnings

access-list from-inside extended permit ip net-mynet- host

access-group from-inside in interface inside

thomsmith Thu, 06/26/2008 - 15:05

Unfortunately my user and their login credentials have left for the day. I'll try tomorrow am EST. Unsure this will make any difference. I'm not seeing any drops in the logs.

thomsmith Fri, 06/27/2008 - 11:50

It appears outbound request for data channel is being blocked. The server side randomly assigns a high port in pasv mode. My client then attempts to connect on this high port and is being blocked. FTP inspection would normally pick this up and allow the high port. It doesn't work here because all of the payload is encrypted. Interim fix is allow all ip outbound to this particular destination. Not really a good long term solution. Any better suggestions out there?

cisco24x7 Fri, 06/27/2008 - 14:09

"Moving from Checkpoint to ASA." That's a mistake if you asked me.

You will lose a lot of functions in Checkpoint that you have taken

for granted. Then again, it may be a corporate decision that you

do not have a choice.

1- you do not need to allow all IP outbound to this particular

destination. You just need to allow tcp high-ports to this

destination, not IP,

2- Ask the folks on the other end if they can restrict the

number of tcp high-ports that FTPs can assign. This can

be done very easily on both Microsoft IIS Server and vsFTPd

server for Linux. In vsFTPd, check the vsftpd.conf file and

you will see it there. Normally, you want to restrict the

ftp-data ports in pasv mode between 2000 and 2100.

Easy right?


This Discussion