I am attempting to establish an FTP connection with an outside vendor FTP
server in order to download software patches. The vendor's FTP server switches to Passive FTP mode which means my client has to reconnect to the server using high ports for both the source and destination. The only way that I have found to get the connection to work is to
configure an ACE on my Inside interface ACL that allows an "any to any" connection using tcp ports >1023. To me, this causes a conflict with my security policies as any other connection, to a potentially malicious server, can be created.
What is the recommended way to get Passive FTP to work without compromising security? I have FTP mode passive enabled on the ASA and also have FTP Passive enabled within my
browser.
Thanks,
Keith
