I am trying to get Passive Mode FTP working through our Firewall and for some reason we can only get Active Mode FTP to work !!!
We can only access the internal Host web1 on active mode ftp sessions !!
I have the followiong rules/policies setup and it is still not working.
ASA Version 8.2(1)
ftp mode passive
access-list inbound_outside extended permit tcp any host web1-xlate eq ftp
access-list inbound_outside extended permit tcp any host web1-xlate eq ftp-data
service-policy global_policy global
Any assistance would be greatly appreciate !!
Can you please check from your internal network to see if Passive FTP is
enabled on the server? If that checks out, then please make sure that you
have one-to-one NAT configured for the server IP.
Static (inside,dmz) any
Capture capin access-list cap interface inside
Capture capdmz access-list cap interface dmz
Once you run the test, then collect the output to see if the traffic is
passing through the firewall.
"show capture capin"
"show capture capdmz"
That should give us a fair idea of what is blocking the FTP traffic.
Hope this helps.
We are running IIS 6.0 on this internal Windows Server. The firewall on the Windows IIS Box is not enabled which should in theory make enabled both Active & Passive FTP connection
There is a static one to one nat between the internal host and the outside with an Public IP address !!
static (inside,outside) web1-xlate web1 netmask 255.255.255.255 tcp 1000 500
Will run captures shortly
some more info when we try and connect from an external ftp client using Passive FTP, the connection is established and we can view the directories but when we start the upload it transfers very slow as the client cannot initiate the ftp data connection !!!
If you are able to view the directories using passive FTP, the connection in
general is working fine. If the data transfer rate is very slow, then I
would suggest you start looking at the server (test the speed from behind
the firewall first) and then check for any MSS inconsistencies. Also, you
might want to check to see if there are any out-of-order drops.
"show service-policy" and "show asp drop" are the commands that could be
Hope this helps.
I am seeing no dropped packets when view the FTP ( sh service-policy )
I am also getting hits on the acl that is permitting ftp from outside !!
Yes this is possible !!
It is just the transfer speed is really slow and the ftp client keeps responding with " data connection already open, transfer starting
Is a packet capture of the firewall : First part is a failed ftp passive mode transfer of vmware-vcb.exe file
Then the second part of the capture was a successful transfer using active mode with a file called : vuze_installer.exe
Hope this sheds some light !!
Thanks again Simon
The capture indicates that after the initial connection establishment, when
you try to store something, there is a delay in opening data connection. I
did not find any return traffic from the server side in the capture. I am
guessing that the delay is due to the delay occurred in getting an
acknowledgement from the server side. The delay seems to be in terms of
seconds rather than milliseconds. So, the problem seems to be on the server
end (firewall cannot delay packets to the magnitude of seconds). I am
guessing that when you go to passive mode, the server is trying to allocate
the port and is getting delayed there. If possible, collect the capture on
the server side as well (bi-directional traffic). That could help us narrow
down on the root cause.