Unanswered Question
Apr 18th, 2009

Dear All,

I am not able to access FTP from internal network or office, if i connect from other then my office i can access.

What port i have to enable on ASA 5510 & ISA???

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
roshan.maskey Sat, 04/18/2009 - 18:19


I assume that the office connected interface is configured as inside with security-level 100.

Check the following:

1. ACL bounded to inside interface

asa(config)# show run access-group

if it results: access-group inside_access_in in interface inside

then: show run access-list inside_access_in

verify if the acl has: access-list insidie_access_in permit tcp any eq ftp

where is your office network.

if your network has no such acl add one.

2. Check your service policy

run command:asa(config)# sh run service-policy

check: if there is global_policy or interface policy applied to inside interface.

3. Check what protocols are inspected

run command: sh run policy-map

find: the policy and verify "inspect ftp" is there in inside class-map of policy-map applied to inside interface.

if you don't find one, add one.

If possible, post your config for review



sibgathullah Sun, 04/19/2009 - 04:39

Dear Roshan,

Thanks for your answer, but i would like to elaborate.....i have my ftp server some outside my network on a public ip n from my network i cannot access it.i have enable the port 20 & 21 but still i m not able to access....

AxiomConsulting Mon, 04/20/2009 - 04:53

Further to Roshans earlier post, once the ACL is added (or confirmed that you have one) run the following command to ensure that the ACL has a hit count.

sho access-list

Also, ensure that this FTP server is accessible from the outside of your network, if possible setup a directly connected machine to your internet connection (purely for testing!)



sibgathullah Mon, 04/20/2009 - 23:50

Dear ,

Below is the access-list which are configured on ASA. But still i am not able to access FTP site.

access-list out-in line 22 extended permit tcp any eq ftp any eq ftp (hitcnt=0)

access-list out-in line 23 extended permit tcp any gt 1023 any gt 1023 (hitcnt=3517)

access-list out-in line 24 extended permit tcp any eq ftp-data any eq ftp-data (hitcnt=0)

AxiomConsulting Tue, 04/21/2009 - 00:28

Please can you post your access-group config so I can see what direction the ACLs have been applied.



This Discussion