Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Passive FTP with a Cisco 5505

Disclaimer: I'm not a network expert or Cisco certified...


I have a few remote locations that use a Cisco 5505 to connect to my server through a VPN Tunnel. When they establish a connection through the tunnel they use FTP with the PASV command and successfully send and receive data. No issues. The same remote locations will connect to external FTP sites without a VPN tunnel and attempt to use FTP with PASV and the connection fails after the PASV command is issued.

Also, when these sites connect to my FTP server all their internal addresses are configured with a Dynamic HIDE NAT. They don't use this NAT rule when they connect to other FTP sites. (I'm fairly certain about this last statement.)

The question is why would an FTP connection through a VPN Tunnel work with PASV, but on a non-tunneled connection the Cisco 5505 blocks the connection.

I would think that the connection should drop in both scenarios. What makes the VPN Tunnel connection special to prevent the connection drop? 

(I just learned about the fixup protocol with the group policy change to resolve the problem. So I can resolve the issue. But I'm interested in knowing why there is a discrepancy.)

I did ask our network team and they thought it was somewhat strange too.They suspect the tunnel has something to do with it, but I'm looking for a solid answer. I also haven't found any prior discussions about this particular scenario.



Passive FTP with a Cisco 5505

Hello Walter,

As you might now the FTP protocol opens dynamicly additional ports to send the data, so the ASA if is not inspecting this protocol over to the application layer will drop the packet, because he will receive a packet from a non-existing connection from the lower security level (outside).

To solve this you just need to let the ASA know " Inspect the FTP traffic up to the application layer, also known as Deep Packet Inspection (DPI) so you can know the port the FTP server and the client will use to send the traffic", then the ASA will dinamicaly open that port and the connection will get stablished.

Do you see what I mean, let me know if its clear enough.



Julio Carvajal
Senior Network Security and Core Specialist
CreatePlease to create content