regmandy
asked on
allow passive FTP through ASA5510
Hey guys,
Ok so I've seen there are a few posts regarding this and as I'm going through checking my configs, I can't seem to get this to work. The issue is most certainly that I'm not allowing passive ports through the firewall. My FTP client works fine internally, but externally It connects and authenticates to the server no problem, but when running List command I get failed to retrieve directory listing.
- How can I check if passive FTP is checked in inspect? I am using port 2121 for FTP due to Port 21 already being used with this external Address and forwarded to another PC.
- Also I have enabled passive ports 60000 - 65535 but Im obviously missing something.
- the FTP host is in my DMZ so maybe thats part of the problem I'm not setting up my ACL correctly?
What do you need from me to help?
Ok so I've seen there are a few posts regarding this and as I'm going through checking my configs, I can't seem to get this to work. The issue is most certainly that I'm not allowing passive ports through the firewall. My FTP client works fine internally, but externally It connects and authenticates to the server no problem, but when running List command I get failed to retrieve directory listing.
- How can I check if passive FTP is checked in inspect? I am using port 2121 for FTP due to Port 21 already being used with this external Address and forwarded to another PC.
- Also I have enabled passive ports 60000 - 65535 but Im obviously missing something.
- the FTP host is in my DMZ so maybe thats part of the problem I'm not setting up my ACL correctly?
What do you need from me to help?
ASKER
side note, when I have MasqueradeAddress turned on, internal or external won't work.. when masqueradeAddress is off, internal works, external doens't. this is what maps the server to the public IP.. so the issue has to be with my firewall rules not accepting the passive ports. I set the passive ports on the server to use 60000 - 60001.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
class-map global-class
class-map class_ftp
class-map ftp-class
match port tcp eq 2121
class-map inspection_default
match default-inspection-traffic
class-map global-class1
match access-list global_mpc