• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1851
  • Last Modified:

How to open active ftp on a cisco asa

I have a user that needs to access an active ftp (as opposed to passive) server from inside an cisco asa ver 8.2(2) firewall.

The firewall is somehow blocking her access from the inside out to the active ftp server. I cant seem to find the proper documentation to allow this.
0
sctowne
Asked:
sctowne
  • 2
2 Solutions
 
jmeggersCommented:
Have you looked at http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml? It will be the same up through version 8.2, but there's a different document for 8.3.
0
 
sctowneAuthor Commented:
Hi jmeggers, I have looked at the document but, its purpose is if you want to set up an FTP server on a DMZ. I am not trying to set one up, but only communicate with an existing one on the internet.
0
 
AlexPaceCommented:
In active mode FTP, the client sends a PORT command to the server when it wants to transfer files or fetch a directory listing.  The PORT command is followed by six numbers.  The first four numbes are the IP address and the last two are the hex encoded port number.  The FTP server then makes an outgoing connection back to the client at that address and port number.

So there are potentially multiple things that can go wrong.  One is that the client might have an unrouted internal address like 192.168.x.x or 10.x.x.x so obviously you can't have this sent to the remote server because the server will never be able to connect back.  So you'll have to modify the outgoing PORT command so it contains an external address.  Second is that the firewall has to allow an incoming connection from this server out there on the internet back to one of the PCs inside the firewall.  Third, if the client pc is using an internal address you'll need some kind of port forwarding.  Forth you might have to disable local security software or windows firewall on the client PC to allow the incomming connection.

Some FTP client software will allow you to define a port or range of ports that it will always use for the Active Mode data channel. This might help if you are manually setting up some firewall rules.

Some firewalls are FTP protocol aware so they are able to watch the FTP Control Channel, parse the PORT command on the fly, and substitute an external IP address for the internal address, and then do automatic port forwarding on the port used for the Active Mode data channel.  

Trivia: The DOS command-line FTP client only does active mode data channels.
0
 
sctowneAuthor Commented:
Thanks to all, the solution had to do with the Protocol inspection and service policy rules. I cleared what was there and added the following line to the Cisco ASA:
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map asa_global_fw_policy
 class inspection_default
 inspect ftp
!
service-policy asa_global_fw_policy global
0

Featured Post

Exciting career futures for women in IT

Education has the power to transform lives and open the door to new career opportunities. By earning an IT degree from WGU, you can become a highly skilled IT professional. Get the credentials and certifications you need to become a leader in this rewarding field.  

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now