OK .. I am have an odd issue I am unable to figure out. I have a new ASA 5520 that we implemented last week. I have the standard inside, DMZ, outside interfaces set at security levels of 100, 40 and 0 respectively. I have an ACL for inside traffice and outside traffic and one rule for a DMZ server that pulls information from the inside. My issue surrounds a server in the DMZ that users connect to and initiate an FTP session to the outside to pull data from a vendor. It was unable to make an FTP connection so I added an rule for port 21 with an any destination. Still no luck. I modified the rule for it to be any destiantion IP port and server seems to work just fine. In looking at the log for this server it builds a dynamic translation for the outside to my gobal address and then starts a port 21 session.
I thought that by default you did not need any rules to go from a lower level to a higer level. Do I need a generic rule to allow the dynamics to be built? I basically copied the config from our PIX and dropped it onto the ASA. Is there somthing that I could have possibly missed in the configuration? I am going to try a little testing to see if any of the other servers act the same trying to get to the outside from them.
I have attached a filtered log from the ASA to show the activity. I can attach a copy if the config if needed.