I'm having trouble opening a passive FTP connection between two hosts, both of which are behind firewalls and NAT'd. The FTP inspection on my end is properly inspecting the FTP traffic and is therefore seeing the "REAL" IP address as a result of the passive mode request. I believe that the firewall is therefore dropping the request because the address is different, (not the NAT Address). I can't turn off FTP Inspection because it would kill the ability to create active FTP sessions.
Is there a way to make a custom FTP Inspection rule that would allow a passive mode connection. Both hosts are behind Cisco Devices, is there some fix or workaround for this problem. BTW the warning message is:
33406002FTP port command different address: 100.100.200.5(100.100.100.1) to 10.0.8.139 on interface outside
I changed the IP's to protect the "not so innocent".
Thanks, I understand what is supposed to happen during a passive FTP session. The problem appears to be that his firewall is not properly inspecting the FTP packet. He does have the global policy enabled, but for whatever reason his NAT device, which I have been told is a Cisco Firewall, is not re-writing the data portion of the 227 response. His box is replying with the non public IP address and my firewall is dropping the connection because it sees the connection as an FTP session hijack.
BTW the "FTP mode passive" command is only applicable to ftp sessions to the FWSM itself for the purpose of upgrading code or loading configuration files. It has no relevance to "external" FTP operations. The "fixup" commands have been replaced using policy statements.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :