Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Can't connect to FTP site on Internet

ASA version 8.0(2).

For testing I have removed all ACLs on the inside and outside interface. The problem is only from the Windows FTP client - works fine from other clients such as Internet Explorer FTP.

I believe the problem has to do with the Windows FTP client using active mode and the Internet Explorer FTP client using passive mode.

Is there a way to allow active mode FTP through the ASA, or do I have to stick with passive mode clients such as IE?

************

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect icmp

inspect ftp

!

************

Thanks!

5 REPLIES
Community Member

Re: Can't connect to FTP site on Internet

I believe your correct about passive / active. The inspect command allows for passive FTP, to be permitted.

However in active ftp the client tells the server to talk to me on port 123 and the server attempts to connect, but since there is not a translation for that it is denied, check your logs I suspect you will see this reported there.

The only way i have found to allow active is to explicitly allow it via a ACL rule.

IMO passive is more secure than active so if possible only allow passive to traverse your firewall.

Community Member

Re: Can't connect to FTP site on Internet

Thanks for the reply. If I were to allow this explicitly via an ACL, wouldn't the data connection from the server on the Internet still fail due to lack of a translation?

Tom

Community Member

Re: Can't connect to FTP site on Internet

Not if you allow it explicitly from the outside to the client inside that must have it ;-)

Community Member

Re: Can't connect to FTP site on Internet

Is this what the ACL would look like?

access-list OutsideIn extended permit tcp any eq ftp-data host 192.168.1.100

Because the client is sitting behind PAT, packets arriving from the Internet on my outside interface will not be addressed to the private address - rather the outside address of the ASA.

Am I following you?

Community Member

Re: Can't connect to FTP site on Internet

I am hitting into the same problem too, when i do this on the access-list insideout,

access-list insideout permit tcp any any

it works, but is there a better way?

205
Views
0
Helpful
5
Replies
CreatePlease to create content