Allowing Passive FTP connections on the ASA5540

Answered Question
Apr 22nd, 2009
User Badges:

I am attempting to establish an FTP connection with an outside vendor FTP

server in order to download software patches. The vendor's FTP server switches to Passive FTP mode which means my client has to reconnect to the server using high ports for both the source and destination. The only way that I have found to get the connection to work is to

configure an ACE on my Inside interface ACL that allows an "any to any" connection using tcp ports >1023. To me, this causes a conflict with my security policies as any other connection, to a potentially malicious server, can be created.


What is the recommended way to get Passive FTP to work without compromising security? I have FTP mode passive enabled on the ASA and also have FTP Passive enabled within my

browser.


Thanks,

Keith



Correct Answer by cisco24x7 about 8 years 1 day ago

"fixup protocol ftp 21".


That will fix your problem without compromising security.


Easy right?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
cisco24x7 Wed, 04/22/2009 - 13:16
User Badges:
  • Silver, 250 points or more

"fixup protocol ftp 21".


That will fix your problem without compromising security.


Easy right?

kduckett Thu, 04/23/2009 - 04:16
User Badges:

Yes, this was easy and resolved my problem. I really appreciate the assistance.


Thanks,

Keith

Actions

This Discussion