Passive FTP access through ASA 5520

Unanswered Question

Hi ,

I am trying to get Passive Mode FTP working through our Firewall and for some reason we can only get Active Mode FTP to work !!!

We can only access the internal Host web1 on active mode ftp sessions !!

I have the followiong rules/policies setup and it is still not working.

ASA Version 8.2(1)

ftp mode passive

access-list inbound_outside extended permit tcp any host web1-xlate eq ftp

access-list inbound_outside extended permit tcp any host web1-xlate eq ftp-data

policy-map global_policy

service-policy global_policy global

inspection default

inspect FTP

Any assistance would be greatly appreciate !!

Thanks Simon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Nagaraja Thanthry Sun, 07/18/2010 - 21:14
User Badges:
  • Cisco Employee,


Can you please check from your internal network to see if Passive FTP is

enabled on the server? If that checks out, then please make sure that you

have one-to-one NAT configured for the server IP.

Static (inside,dmz) any

Capture capin access-list cap interface inside

Capture capdmz access-list cap interface dmz

Once you run the test, then collect the output to see if the traffic is

passing through the firewall.

"show capture capin"

"show capture capdmz"

That should give us a fair idea of what is blocking the FTP traffic.

Hope this helps.



Hi NT,

We are running IIS 6.0 on this internal Windows Server. The firewall on the Windows IIS Box is not enabled which should in theory make enabled both Active & Passive FTP connection

There is a static one to one nat between the internal host and the outside with an Public IP address !!

static (inside,outside) web1-xlate web1 netmask tcp 1000 500

Will run captures shortly


Nagaraja Thanthry Sun, 07/18/2010 - 21:45
User Badges:
  • Cisco Employee,


If you are able to view the directories using passive FTP, the connection in

general is working fine. If the data transfer rate is very slow, then I

would suggest you start looking at the server (test the speed from behind

the firewall first) and then check for any MSS inconsistencies. Also, you

might want to check to see if there are any out-of-order drops.

"show service-policy" and "show asp drop" are the commands that could be


Hope this helps.



Nagaraja Thanthry Sun, 07/18/2010 - 22:08
User Badges:
  • Cisco Employee,


Can you do a directory listing when you are connected to the FTP server via

passive FTP?



Nagaraja Thanthry Sun, 07/18/2010 - 23:14
User Badges:
  • Cisco Employee,


Can you please post the output of "show asp drop" from the firewall?



Nagaraja Thanthry Mon, 07/19/2010 - 07:25
User Badges:
  • Cisco Employee,

Hello Simon,

The capture indicates that after the initial connection establishment, when

you try to store something, there is a delay in opening data connection. I

did not find any return traffic from the server side in the capture. I am

guessing that the delay is due to the delay occurred in getting an

acknowledgement from the server side. The delay seems to be in terms of

seconds rather than milliseconds. So, the problem seems to be on the server

end (firewall cannot delay packets to the magnitude of seconds). I am

guessing that when you go to passive mode, the server is trying to allocate

the port and is getting delayed there. If possible, collect the capture on

the server side as well (bi-directional traffic). That could help us narrow

down on the root cause.




This Discussion