This was all working so I'm not sure what has changed.
We have a windows 2003 FTP server that we can access internally fine. Usually we can access over the Internet using it's public IP, but it has stopped working.
I have the following rules:
access-list outside_access_in extended permit tcp any host *.*.*.72 eq ftp
access-list outside_access_in extended permit tcp any host *.*.*.72 eq ftp-data
static (DMZ10_Web_Svrs,outside) *.*.*.72 192.168.15.4 netmask 255.255.255.255
From the Internet I get the logon page (when I go to ftp://*.*.*.72) and put my username and password in and I get accepted.
I get the message "getting contents of folder" in the left hand corner, but then get a "time out" error. If I go to the FTP server then to and look at current connections I see that I am connected.
I have rebuilt the FTP server and get the same results, I have even installed FTP on another Windows server and get the same results, so it must be on the ASA5520.
I open up port 80 and installed a simple web page and that worked.
I can see my asa has poliy maps > inspect ftp could this be anything? It's like it's an outbound issue back to the client as it works fine on the LAN.
Your ACL is not correct. You need to understand how Active and Passive FTP works:
Active FTP: client connects to server on port 21. Server uses port 20 to transfer data back to client. In the 2nd phase, the FTP server is the client and the FTP client is the server
Passive FTP: client connects to server on port 21. Server tells the client a port > 1024 to use for the data transfer. Client then makes a 2nd connection from its >1024 ports to the server > 1024 ports. In this scenario, the client does all the work, server does nothing.
Therefore, the second-line ACL ftp-data is not needed at all. You will never see a match in this ACL
In your scenario, since you're doing NAT, you must enable "fixup protocol ftp 21" or your FTP will fail
If you bypass the ASA, does FTP still work? If that works, it is probably a bug in the ASA code, just guessing.