Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FTP in Zone based firewall

I am working on a zone-based firewall for a new location.    I am currently working on getting connections to infrastructure devices (2960 switch, WAVE 574).   I have a zone pair defined with an outside and a INFRA zone.    The class map is a match access-group line, and the access-list is working for ssh  and syslog.   However I have teh WAVE device at a software version higher than my current standard (brand-new device) and have to ftp the downgrade code to the device from the ftp server.   I have the following in the access-list

permit tcp host <wave574> host <ftp server> eq ftp (3 matches)

As you can see it has matched 3 times.   The builtin WAAS procedure is to ftp to the server, change to binary mode, go to PASV mode, CWD to the specified directory, gets successfull, sends PASV again, then tries to download the file.   At that point it breaks, giving a timeout error.   The logs show tcp being denied between the wave device an the ftp server, both on upper ports.    FTP handling should not be a problem, the firewalls have been handling it for years.    What am I missing here?   I checked the rest of the ACL above the ftp line, that is the only line that could possibly be hit by the addresses involved.


Everyone's tags (2)
Cisco Employee

FTP in Zone based firewall


You'll need to make sure that your zone-pair's policy includes a class-map that uses 'match protocol ftp' and that the 'inspect' action is applied for this class of traffic. Since FTP opens a secondary data connection with a dynamically allocated port, ZBF needs to be able to see this port and dynamically allow the data channel through the firewall. Otherwise, you would need to permit all TCP traffic between the WAVE and the FTP server.