Many ftp client will try to establish a passive connection with a server by default. A passive connection will use a high numbered unprivileged port range greater then 1023 (PASV) instead of port 20 (PORT). Most ftp servers specify different ranges that are to be used for passive connections.
When you are managing multiple ftp servers is it rather impractical to configure specific passive port ranges for each ftp server and open these ports in the firewall. A quick and much more practical solution is to use the stateful application inspection feature of the Adaptive Security Appliance. To set-up inspection of the FTP protocol which will dynamically allow secondary ports to pass as well as allow NAT traversal of these ports we first must create an inspection policy for all interfaces which will inspect services on their standard ports:
class-map global-class
match default-inspection-traffic
Next configure a policy map and inspection of the ftp protocol:
policy-map global-policy
class global-class
inspect ftp
3 responses so far ↓
1 RaiulBaztepo // Mar 31, 2009 at 7:45 am
Hello!
Very Interesting post! Thank you for such interesting resource!
PS: Sorry for my bad english, I’v just started to learn this language
See you!
Your, Raiul Baztepo
2 max // Apr 2, 2009 at 9:51 am
I’m glad you found this article useful.
3 harald // Jun 29, 2009 at 7:51 am
this was very interesting, thanks. however, i have still a problem. i can connect through the firewall using activ and “extended passive”(!), but not “passiv” (non-extended passive). even after applying your configuration. is there away around this problem? thanks!
Leave a Comment