Hello Sairam,

I would say it is related to active or passive FTP

on ftp prompt on shell try to use pasv if it is permitted by FTP server to change to passive mode in this way both control connection and data connection should start from the same side.

Hope to help

Giuseppe

I know it's an old thread but it's marked as Not Resolved, and I too am having this problem and can't seem to figure it out. I'm also using 15.0(1)M7, and everything looks right to me. Perhaps some fresh eyes can spot something I glaze over.

I get this in the log on the 877 when I try to connect with Firefox externally. It points to the passive ports being the problem, but I've got everything in the config that i think looks correct. Perhaps it's a bug in this IOS release, but i couldn't find anything, and when I'm on the local network i can connect to the FTP server with out problem

Feb 24 14:53:06.744: %FW-3-FTP_NON_MATCHING_IP_ADDR: (target:class)-(ZP_UNTRUST_TRUST:INBOUND_SERVICES_to_TRUST-classmap):Non-matching address 60.213.14.217 used in PASV response  -- FTP client 203.31.22.138  FTP server 192.168.0.200

I think it’s something to do with the passive ports, but from my understanding if you are using default FTP ports and you inspect ftp traffic then the zone based firewall monitors the state and applies the relevant Application Layer Gateway changes required to the payload.

ip port-map user-FTP_WEB-1122 port tcp 1122 description FTP SSL_WEB IN

ip cef   

!

----This is the class map  to match ftp traffic to the FTP Server

class-map type inspect match-any FTP_SERVICES-classmap

match protocol ftp

match protocol user-FTP_WEB-1122

------This is the class map to match the services and only allow the access list 110 destination which is the ip address of the internal FTP server

class-map type inspect match-all INBOUND_SERVICES_FTP-classmap

match class-map FTP_SERVICES-classmap

match access-group 110

------ Just another inbound service to another server

class-map type inspect match-all INBOUND_E4300-classmap

match protocol user-E4300

match access-group 111

----- This is the class map that is bound to the Policy-Map UNTRUST_TRUST- policymap to allow the inbound FTP connections

class-map type inspect match-any INBOUND_SERVICES_to_TRUST-classmap

match class-map INBOUND_E4300-classmap

match class-map INBOUND_SERVICES_FTP-classmap

class-map type inspect match-all INVALID_SRC-classmap  -----IP Spoofing protection

match access-group 109

!

----- This policy map is bound to the Zone Pair of Untrust to Trust

policy-map type inspect UNTRUST_TRUST-policymap

class type inspect INVALID_SRC-classmap ---- IP spoofing protection

  drop   

class type inspect INBOUND_SERVICES_to_TRUST-classmap   ---- classmap that includes the FTP match statement

  inspect

class class-default

  drop

!

!

zone security TRUST

zone security UNTRUST

----- Zone Pair to allow internal clients access to the internet

zone-pair security ZP_TRUST-UNTRUST source TRUST destination UNTRUST

service-policy type inspect TRUST_UNTRUST-policymap

----- Zone Pair to allow clients on the internet access to the FTP server

zone-pair security ZP_UNTRUST_TRUST source UNTRUST destination TRUST

service-policy type inspect UNTRUST_TRUST-policymap

!

!

!

!

interface Vlan11

description INSIDE

ip address 192.168.0.254 255.255.255.0

ip nat inside

ip nat enable

ip virtual-reassembly

zone-member security TRUST ---- interface Vlan11 is in the Trust zone

!

interface Dialer0

description OUTSIDE

ip address negotiated

ip mtu 1492

ip nat outside

ip nat enable

ip virtual-reassembly

zone-member security UNTRUST ----- Dialer0 interface is in the Untrust zone

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

!

ip forward-protocol nd

!

ip nat inside source list 1 interface Dialer0 overload ---- NAT statement to allow internal clients access to the internet

ip nat inside source static tcp 192.168.0.200 1122 interface Dialer0 1122

-----Below is the NAT statement to allow traffic inbound on port 21 to the public  IP of the dialer0 interface to be forwarded to port 21 of the internal FTP server, 192.168.0.200

ip nat inside source static tcp 192.168.0.200 21 interface Dialer0 21

ip route 0.0.0.0 0.0.0.0 Dialer0

!

!

access-list 1 permit 192.168.0.0 0.0.0.255  ----- NAT ACL to allow internal clients access to the internet

access-list 109 permit ip host 255.255.255.255 any

access-list 109 permit ip 127.0.0.0 0.255.255.255 any

access-list 109 permit ip 10.0.0.0 0.255.255.255 any

access-list 109 permit ip 172.16.0.0 0.15.255.255 any

access-list 109 permit ip 192.168.0.0 0.0.255.255 any

---- Below is the ACL 110 that the classmap “INBOUND_SERVICES_FTP-classmap” uses to only allow inbound FTP inspection to the FTP server ip 192.168.0.200

access-list 110 permit ip any host 192.168.0.200

access-list 111 permit ip any host 192.168.0.1

dialer-list 1 protocol ip permit

Any help would be much appreciated