Linux Sysadmin Blog

ASA Allow Passive Ftp Traffic

- | Comments

Many ftp client will try to establish a passive connection with a server by default. A passive connection will use a high numbered unprivileged port range greater then 1023 (PASV) instead of port 20 (PORT). Most ftp servers specify different ranges that are to be used for passive connections.

When you are managing multiple ftp servers is it rather impractical to configure specific passive port ranges for each ftp server and open these ports in the firewall. A quick and much more practical solution is to use the stateful application inspection feature of the Adaptive Security Appliance. To set-up inspection of the FTP protocol which will dynamically allow secondary ports to pass as well as allow NAT traversal of these ports we first must create an inspection policy for all interfaces which will inspect services on their standard ports:

class-map global-class
match default-inspection-traffic

Next configure a policy map and inspection of the ftp protocol:

policy-map global-policy
 class global-class
  inspect ftp