How to open active ftp on a cisco asa

Posted on 2011-10-20
Last Modified: 2012-05-12
I have a user that needs to access an active ftp (as opposed to passive) server from inside an cisco asa ver 8.2(2) firewall.

The firewall is somehow blocking her access from the inside out to the active ftp server. I cant seem to find the proper documentation to allow this.
Question by:sctowne
    LVL 18

    Accepted Solution

    Have you looked at It will be the same up through version 8.2, but there's a different document for 8.3.

    Author Comment

    Hi jmeggers, I have looked at the document but, its purpose is if you want to set up an FTP server on a DMZ. I am not trying to set one up, but only communicate with an existing one on the internet.
    LVL 16

    Assisted Solution

    In active mode FTP, the client sends a PORT command to the server when it wants to transfer files or fetch a directory listing.  The PORT command is followed by six numbers.  The first four numbes are the IP address and the last two are the hex encoded port number.  The FTP server then makes an outgoing connection back to the client at that address and port number.

    So there are potentially multiple things that can go wrong.  One is that the client might have an unrouted internal address like 192.168.x.x or 10.x.x.x so obviously you can't have this sent to the remote server because the server will never be able to connect back.  So you'll have to modify the outgoing PORT command so it contains an external address.  Second is that the firewall has to allow an incoming connection from this server out there on the internet back to one of the PCs inside the firewall.  Third, if the client pc is using an internal address you'll need some kind of port forwarding.  Forth you might have to disable local security software or windows firewall on the client PC to allow the incomming connection.

    Some FTP client software will allow you to define a port or range of ports that it will always use for the Active Mode data channel. This might help if you are manually setting up some firewall rules.

    Some firewalls are FTP protocol aware so they are able to watch the FTP Control Channel, parse the PORT command on the fly, and substitute an external IP address for the internal address, and then do automatic port forwarding on the port used for the Active Mode data channel.  

    Trivia: The DOS command-line FTP client only does active mode data channels.

    Author Closing Comment

    Thanks to all, the solution had to do with the Protocol inspection and service policy rules. I cleared what was there and added the following line to the Cisco ASA:
    class-map inspection_default
     match default-inspection-traffic
    policy-map asa_global_fw_policy
     class inspection_default
     inspect ftp
    service-policy asa_global_fw_policy global

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
    From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now