I have configured ASA with 4 interface viz inside, outside, dmz, wanzone.
Highest sec being inside and lowest being outside.
When i try to do an ftp from inside to outside that is a public ip iam not able to do passive ftp with def. ftp inspection. Iam able to do only active mode ftp. Should i configure advanced ftp inspection for passive mode to work. I think i cannot disable ftp inspection becoz this will disable inbound ftp.
The match default-inspection-traffic command specifies the protocols and ports that are inspected by default. See this command in the Cisco Security Appliance Command Reference for a list of default inspection traffic. The security appliance includes a default global policy that matches the default inspection traffic, and applies inspection to the traffic on all interfaces.
You can specify a match access-list command along with the match default-inspection-traffic command to narrow the matched traffic. The class excludes any protocol or port information specified in the match access-list command that is already included in the match default-inspection-traffic command.
Also with passive ftp, the client initiates connection to port 21 of the ftp server. The ftp server responds from port 21 to the client and sends a dynamic port for data transfer connections. The client then initiates connections to that dynamic port on the ftp server.
You will have to allow tcp traffic from your inside network to ports greater that 1023 for the ftp servers that allow only passive ftp. For e.g.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...