I have an ASA 5525 with Software Version 9.0(2) that is not allowing passive ftp. Each time I try to do any transfer that involves the data channel -- such as getting a directory listing -- with passive on, the log has lines like these and the command just times out:
2014-01-09T15:44:11.124706-08:00 Jan 09 2014 15:43:37: %ASA-4-406002: FTP port command different address: 172.21.10.8(22.214.171.124) to 126.96.36.199 on interface dmz1
2014-01-09T15:44:11.125100-08:00 Jan 09 2014 15:43:37: %ASA-4-507003: tcp flow from outside:188.8.131.52/38349 to dmz1:172.21.10.8/21 terminated by inspection engine, reason - inspector drop reset.
I have an access_list on the outside interface that allows ftp:
Found the problem. The ftp server was sending the external NAT address not its own address in the passive response. The previous firewalls didn't care but the newer software apparently does. Once the server was changed to send its own IP (an rfc 1918 address) in the response, clients were able to use passive.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...