Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Active FTP on asa 5520

Please, i am having a problem using active FTP from an internal machine to an external FTP Server. sometimes it works and sometimes it doesnt. I have tried the following options but with no luck

1) permit traffic from external server with source port 21 to inside

2) use the no ftp mode passive

3) ust the inspect FTP in the global policy

4)Static nat for the client and access-list allowing server to translated client IP address

5 REPLIES

Re: Active FTP on asa 5520

I will try to comment on your steps

1) This ACL is not at all required, when the Active FTP session begins, the control connection is initiated by the FTP client (on the inside) with a random source port greater than 1023, and the destination port is 21. This traffic will be automatically allowed back by the ASA State algorithm, the problem is the 'port 20' connection, initiated by the FTP server with source port = 20 and destination port = client's initial random source port + 1. For more details have a look at this link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml#tshoot

2) only applies to ASA generated traffic

3) This should work actually......

4) This is better if you are combining it with option one (But use proper source port 20 ACL and not source port 21), but to be honest , option 3 should be good enough.

Regards

Farrukh

New Member

Re: Active FTP on asa 5520

It doesnt work with any of these options.

It connects to the FTP server but it doesn't list the directories

Re: Active FTP on asa 5520

What traffic is being denied on your OUTSIDE access-list?

Also are you using a browser to connect or a specific FTP client?

Regards

Farrukh

New Member

Re: Active FTP on asa 5520

Thanks for the responses

We were able to get it up and running. It was an application layer issue. The Client box uses passive FTP mode by default. This worked as soon as it was turned off and its been working ever since

Re: Active FTP on asa 5520

Ok great you have it working now

Thats why I was asking you about your client :)

Regards

Farrukh

432
Views
0
Helpful
5
Replies