Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Allowing FTPS access in ASA 5510

Hi Experts,

We had an ASA 5510 as a firewall in our environment, and there is a requirement to access an ftps server from our location. Currently from the server location they configured everything by allowing our public ip to their server and gave the following details to access ftp.

Server address for accessing ftp > ftp://ftp.<server address>.com

FTPS Access from port 990 (Implicit)

User ID: <user id>


Please suggest which traffic needs to be allowed in our ASA to access the ftp server address as mentioned above. From my initial analysis, it's found that 989 port is also enabled for the access, but that was not mentioned by them.

Any advice or suggestions regarding this is highly appreciable.


Sihanu N


Allowing FTPS access in ASA 5510

Hello Sihanu,

So the Secure FTP server will be outside your network.....

All you need to do is to open the required TCP ports ( in this case 990) in the interface were the clients are going to be.

Lets focus on the following topology:


All you will need to do is if you have an ACL on the inside interface add a line

access-list test permit tcp host PC1 host SFTP eq 990.

I think this document will help:

You will need to focus on the scenario 2:

Client on the inside and server on the outside, Server on Passive mode.

Same thing, client initiates the connection on port 990/22, the server agrees and waits for the client to set the port command. Client initiates the connection to the outside world in that n+1 port to the server and everything is going to work fine.

This may sound a little bit complicated, what you need to understand is that the firewall cannot open the Data channel because the Control channel is encrypted. Make sure that the data channel is seeing by the firewall as a regular connection.


Do rate all the helpful posts


Looking for some Networking Assistance? Contact me directly at I will fix your problem ASAP. Cheers, Julio Carvajal Segura