Has anyone experienced issues of failing active FTP when running IP inspect on a router with FW IOS. The issue I m experiencing is that all passive ftp sessions work with the ip inspect ftp command, but active fails. The router actually sends the client a Fin to end the connection.
I also have another router that successfully allows active FTP, but it has a higher latency between the router and FTP server.
I am running IOS 12.2(15)T17 with the FW/IDS feature set.
I suspect that this is because when the data traffic is initiated from the outside the necessary session is not created for the traffic to go through the router. We could see that the dynamic access-list was there of only a brief moment and then it disappeared, which is the correct behavior if the session was never established.
With the passive FTP both the data and control session is initiated from inside the router and that makes it easier for the firewall to create and maintain the sessions as well as opening the ACL.
There are two things that we could try and both are to see if we can possibly help the sessions to be created for the inbound connections.
1. Have the ip inspect going both in and out on the outside interface.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...