I have setup an inbound ACL on the outside interface of my router that allows TCP ports 20 and 21 in and I have a CBAC inspect map with FTP specified on the same interface in an outbound direction. My understanding is that the inspect will check all outbound traffic and dynamically fix the inbound ACL for the client/serve negotiated ports. I have active FTP clients like the command line Windows ftp work, but passive clients like a browser do not.
If I uncheck passive mode on my browser it works further confirming that active FTP works. Ironically, the browser active/passive option says that passive mode is for firewall compatibility!
Any ideas on this? I would really like both to work because I frequently use the command line ftp and most others prefer the browser.
Is this issue resolved?
description public IP
ip address 220.127.116.11 255.255.255.224
ip access-group 101 in
ip nat outside
ip inspect firewall out
ip inspect firewall in ------------------------> Pls. add this line as well.
for ftp traffic the user id and password goes over the control channel using tcp 21.You need to allow this via ACL. Inspection will take care of opening the data channel.
For active ftp the server sends the data using the source port tcp 20. Client sends the port command.
In case of passive ftp the server sends the port command and the client connects back to the high port >1024 to receive data.