FXP through ASA

Unanswered Question
Jan 12th, 2009

I am running into problems with FXP through an ASA. They (the customer) use it to FTP between FTP servers, but start this process from a client.

In this case the client and one of the FTP servers are on the inside, the second FTP server is on the DMZ.

The client starts the process, but when the connection is transferred to the FTP server the ASA (per stateful inspection) sees the different source adres in the session en stops the connection.

Completely logical, but not wanted.

Other then completely disabling FTP fixup, has anyone got a solution for this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smalkeric Tue, 01/20/2009 - 06:26

I understand from the Problem Description that you need assistance with your

dataport connections to your FTP server

I would say you are hitting one of the following two issues:

You have not enabled ftp inspect

To check run "sh service-policy" and see if ftp is listed in the global

policy.

If not:

Applying Application Layer Protocol Inspection :

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/inspect.html

marcelnjkoks Tue, 01/20/2009 - 11:11

It is actually enabled, and this is the reason the firewall blocks it. It suddenly sees another host in de connection en denies it.

jesper_petersen Thu, 01/12/2017 - 01:49

Hi

Did you ever find a proper solution for this? Or did you end up with completely disabling FTP inspection?

Actions

This Discussion