FXP through ASA

marcelnjkoks · ‎01-12-2009

I am running into problems with FXP through an ASA. They (the customer) use it to FTP between FTP servers, but start this process from a client.

In this case the client and one of the FTP servers are on the inside, the second FTP server is on the DMZ.

The client starts the process, but when the connection is transferred to the FTP server the ASA (per stateful inspection) sees the different source adres in the session en stops the connection.

Completely logical, but not wanted.

Other then completely disabling FTP fixup, has anyone got a solution for this?

smalkeric · ‎01-20-2009

I understand from the Problem Description that you need assistance with your

dataport connections to your FTP server

I would say you are hitting one of the following two issues:

You have not enabled ftp inspect

To check run "sh service-policy" and see if ftp is listed in the global

policy.

If not:

Applying Application Layer Protocol Inspection :

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/inspect.html

marcelnjkoks · ‎01-20-2009

It is actually enabled, and this is the reason the firewall blocks it. It suddenly sees another host in de connection en denies it.

jesper_petersen · ‎01-12-2017

Hi

Did you ever find a proper solution for this? Or did you end up with completely disabling FTP inspection?