Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

FXP through ASA

I am running into problems with FXP through an ASA. They (the customer) use it to FTP between FTP servers, but start this process from a client.

In this case the client and one of the FTP servers are on the inside, the second FTP server is on the DMZ.

The client starts the process, but when the connection is transferred to the FTP server the ASA (per stateful inspection) sees the different source adres in the session en stops the connection.

Completely logical, but not wanted.

Other then completely disabling FTP fixup, has anyone got a solution for this?

3 REPLIES
Silver

Re: FXP through ASA

I understand from the Problem Description that you need assistance with your

dataport connections to your FTP server

I would say you are hitting one of the following two issues:

You have not enabled ftp inspect

To check run "sh service-policy" and see if ftp is listed in the global

policy.

If not:

Applying Application Layer Protocol Inspection :

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/inspect.html

Community Member

Re: FXP through ASA

It is actually enabled, and this is the reason the firewall blocks it. It suddenly sees another host in de connection en denies it.

Community Member

Hi

Hi

Did you ever find a proper solution for this? Or did you end up with completely disabling FTP inspection?

360
Views
0
Helpful
3
Replies
CreatePlease to create content