Cisco ASA 8.2(5) PASV FTP Issue

Hello all -

Just upgraded from a RV042 to an ASA 8.2 and everything is working correctly except for FTP.  ACTV FTP connections will work, but PASV will not.  NAT seems to be setup correctly and I can access the FTP server through RDP so I know the translations are working.  Users will get prompted to login on the FTP server, but then the connection gets reset.  Code for the ASA is below. Any help is appreciated.  

ASA Version 8.2(5)
!
hostname ghafirewall
domain-name 
enable password AQ2q/V1mSJNaMIRK encrypted
passwd 64AEVHQoM4adSdB3 encrypted
names
name 192.168.0.102 server-nf-pc
name 192.168.0.103 server-nf-ix
name 192.168.0.5 appsrv1
name 192.168.0.7 barracuda
name 192.168.0.101 server-gha-main
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.2 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.209 255.255.255.248
!
ftp mode passive
clock timezone EST -5
dns server-group DefaultDNS
 domain-name 
access-list outin extended permit icmp any any echo-reply
access-list outin extended permit icmp any any unreachable
access-list outin extended permit icmp any any time-exceeded
access-list outin extended permit icmp any any traceroute
access-list outin extended permit tcp any host x.x.x.210 eq 3389
access-list outin extended permit tcp any host x.x.x.210 eq 987
access-list outin extended permit tcp any host x.x.x.210 eq www
access-list outin extended permit tcp any host x.x.x.210 eq https
access-list outin extended permit tcp any host x.x.x.211 eq www
access-list outin extended permit tcp any host x.x.x.211 eq https
access-list outin extended permit tcp any host x.x.x.212 eq ftp
access-list outin extended permit tcp any host x.x.x.213 eq smtp
access-list outin extended permit tcp any host x.x.x.212 eq 3389
access-list outin extended permit tcp any host x.x.x.212 eq ftp-data
access-list outin extended permit tcp any host x.x.x.212 eq www
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.211 server-nf-ix netmask 255.255.255.255
static (inside,outside) x.x.x.212 appsrv1 netmask 255.255.255.255
static (inside,outside) x.x.x.213 barracuda netmask 255.255.255.255
static (inside,outside) x.x.x.210 server-gha-main netmask 255.255.255.255
access-group outin in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.214 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global_policy
 class global-class
policy-map global-policy
 class global-class
  inspect ftp
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:9aa483a421c9f3eecb7382bf5dea60d5
: end

Open in new window

intcomserAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gary ColtharpSr. Systems EngineerCommented:
I had a similar problem but it had nothing to do with my Cisco. I had ports 20 and 21 forwarded as you do. My issue was the FTP server OS changed from 2003 to 2008. The server firewall in 2008 was not allowing the dynamic ports required by a PASV ftp connection.

Hope this helps.
0
intcomserAuthor Commented:
Thank you for the input.  Unfortunately our FTP server stayed the same (2003) and the PASV connection does work internally, just not from outside.  There is no firewall on the 2003 FTP server either.  Thank you again though.
0
intcomserAuthor Commented:
Fixed it.  I had to issue the 'fixup protocol ftp 21' command.  I thought that command was not used in ASA 8.x anymore but apparently it translates to MPF commands and fixes the problem.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
intcomserAuthor Commented:
Discovered the old ASA commands still had some value on the newer units.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.