Been working on this issue for a while now, and I don't know ASA very well to know where to troubleshoot.
Here's our issue: we have issues connecting to FTPES sites (FTP over Explicit TLS/SSL (port 21), not SFTP (port 22) ) from our network.
Normal passive FTP connection works fine from our network.
I have nailed it down to the ASA, because when I bypass the box, my test machine can connect to the FTPES site just fine.
Using Filezilla, from our network, we can connect to the site and log in, but it failed when trying to do directory listing.
Here's the log from Filezilla:
Error: GnuTLS error -53: Error in the push function.
Response: 425 Can't open data connection.
Error: Failed to retrieve directory listing
Response: 421 Connection timed out.
I have searched Google and it all points to NAT issue.
The thing is, I don't think the connection from that machine is NAT-ed (when I go to sites like whatsmyip, it shows the IP address of the server I am on and not the router).
I have also opened up IP connection from the external interface (the one connected to our main router) to my test machine, still no go.
Stuck on the same place. Any ideas?
Match: port tcp range 1 1023
It appears that you are doing ftp inspection for tcp ports 1 through 1023. Pls. change it to just match port 21.
There is another class-map as well which is doing ftp inspection. I am not sure what port that is matching on.
Pls. post the output of "sh run class-map".
The fact that you are masking all the IP address makes hard to review the logs.
Capture on the client and server is the best option. Pls. download wireshark and get captues on the client and server.
Are you sure that there is no web-filter kind of thing that may be blocking FTP TLS negotiation? Clearly the conn gets torn down due to FINs.
Also FTP SSL is supposed to be on port 990. It is not the case in your setup? Also, since this is encrypted inspection cannot look within the packet and automatically allow the data connection, you need to allow that in the acl applied on the External interface which you have done. Right?