Many ftp client will try to establish a passive connection with a server by default. A passive connection will use a high numbered unprivileged port range greater then 1023 (PASV) instead of port 20 (PORT). Most ftp servers specify different ranges that are to be used for passive connections.
When you are managing multiple ftp servers is it rather impractical to configure specific passive port ranges for each ftp server and open these ports in the firewall. A quick and much more practical solution is to use the stateful application inspection feature of the Adaptive Security Appliance. To set-up inspection of the FTP protocol which will dynamically allow secondary ports to pass as well as allow NAT traversal of these ports we first must create an inspection policy for all interfaces which will inspect services on their standard ports:
class-map global-class
match default-inspection-traffic
Next configure a policy map and inspection of the ftp protocol:
policy-map global-policy
class global-class
inspect ftp
Hello!
Very Interesting post! Thank you for such interesting resource!
PS: Sorry for my bad english, I’v just started to learn this language
See you!
Your, Raiul Baztepo
I’m glad you found this article useful.
this was very interesting, thanks. however, i have still a problem. i can connect through the firewall using activ and “extended passive”(!), but not “passiv” (non-extended passive). even after applying your configuration. is there away around this problem? thanks!
This is common sense, but most of cases it doesn’t help in passing ftp passive client through ASA unfortunately.
This article solved all my problems with FTP so thanks for that.
The thing I did find is that I was not already running policy mapping on the old firewall. For this to work you also need to add a line like this:
service-policy global-policy global
Thanks
Hi Dear,
as per above conversation i have issue with passive http://FTP.here are some my test observation below.
the client PC (Filezilla client) is connect to our vendor FTP server on port 8022 but from client are able to estblished control channel connection with the server and when we usded command PASV for data channel we are not able to connect to the server.
client—Inside(ASA)Outside—–Server
-i configure the ASA firewall to inspect the 8022 port into FTP inspection rule (but i have’t inspect 1023-65535 port rang) but it’s not working after PASV command.
can you please suggest me how perfect way to configure the my firewall to resolved this issue ASAP ? OR any tips to help me out to resoved this issue
Thanks in advance for understanding
Ankur
Hi,
This point is really interesting beacause on ASA 5510 the stateful application inspection feature is enable by default insead of on ASA 5505.
Thank you and nice work
.
Tom.