Unanswered Question
Mar 25th, 2010
User Badges:
  • Gold, 750 points or more

Hi all,

We have ASA5510/20 running in NAT/routed mode. We received a request to open ports for internal server to make FTPS connection to outside servers. Internal server initiate the connection. External vendor asked us to open 9021 (FTP ctrl) & 20000-20099 (PASV/EPASV) for their IPs. Long time back while I was testing with FTPS via PIX, ran into some data transfer issues. Never got a chance to check on it later.The ASAs running 7.2 (4) and 7.1 (2). Using One-one NAT for servers. Do this still poses encryption issues for FTPS or not to expect any issues for the FTPS connectivity (with the above said ports opened).

Thanks in advance


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
shailesh.h Thu, 03/25/2010 - 08:34
User Badges:
  • Bronze, 100 points or more

1. You are using one-to-one NAT with FTP exposed to outside should not have problem is application running on the defined ports by the server admin team.

2. To get insight view you can monitor the sample FTP sessions and check for any dropping of the packet. If you still face problem ask server team to carry out the sample FTP from inside network. If it successful then should be successful from outside as well.

3. Sometime even on servers some policies maintained either by antivirus or FTP application.. needs to have visibility beside network access control

Hope this will help you to resolve the problem

mvsheik123 Thu, 03/25/2010 - 12:54
User Badges:
  • Gold, 750 points or more

Hi Shilesh,

Thanks for the reply. But with the case of FTPS (FTP/SSL), due to the encryption there may be an issue while Firewall inspect the incoming traffic. Thanks again.


Jennifer Halim Thu, 03/25/2010 - 14:48
User Badges:
  • Cisco Employee,

Absolutely correct. Since the FTP is encrypted, ASA is not able to inspect into the FTP packet to dynamically open pinhole for FTP Data.

shailesh.h Fri, 03/26/2010 - 03:32
User Badges:
  • Bronze, 100 points or more

>> Did you manage to check the same whether FTPS working locally? If yes, then get the output of netstat

- n from the system. It will show you the ports open on the server. This also confirm if there is an issue with server or client.

>> Once this confirms you can get one side that there is no problem with FTPS server and client software they are using..

>> You can cross verify the ports with the output of netstat -n command


This Discussion