Avatar of plokij5006
plokij5006
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Open Passive FTP Connection through Cisco ASA5520 Firewall

I am looking for help to allow members of our LAN to access passive FTP connections through a Cisco ASA5520 Firewall. The main issue i have is that i don't speak Cisco at all. I long for a web interface but alas no. If anyone can help point me in the right direction. Here is some information that i hope is relevant.

WAN port is called    Example_Outside
LAN port is called      Example_Inside

If it can be done using network-object and access-list i would be very grateful. I would even be delighted to get this to work on a single PC with IP address 192.168.45.234

Thank you
Hardware FirewallsCiscoNetworking

Avatar of undefined
Last Comment
plokij5006

8/22/2022 - Mon
SOLUTION
Dan Craciun

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
kevinhsieh

I suggest you use ASDM for ASA management. So much easier for managing security rules, network groups, nested network groups, etc. Cisco routers and switches I use CLI, but ASDM GUI for ASA firewall.
giltjr

Dan's comment is spot on.  The only issue you may have is if you are using encrypted ftp (ftp-ssl).  Since the session is encrypted the ASA can't inspect the commands.  If the server supports the CCC command, after you login you can issue it.  That will cause all commands to be sent in clear text so the ASA can inspect.

If the server does not support the CCC command, then you need to find out what port range the server uses for passive ftp connections and then setup a rule that allows outbound tcp packets destine to the server within that port range.
ASKER CERTIFIED SOLUTION
plokij5006

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Dan Craciun

1. Can you please post the result of the following command, obfuscating the real IPs?

sho run


2. ASDM is a Java app. It runs on Win XP - Win 10. No Firefox required.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
kevinhsieh

I use ASDM on Windows 8.1 and Windows 10 using current version of Java just fine. I don't even have Firefox.
plokij5006

ASKER
Thank you again for the replies. here is the output requested
xxxxxxFWGW.txt
giltjr

What FTP client are you using to test with?  The ftp client that comes with Windows only supports active FTP.

Is there away you can run a packet capture to verify what the client is sending out and what the server is returning?  To do this you will need to run the capture in  front of the firewall on the firewall.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
plokij5006

ASKER
Closing down ticket - we never got a solution.
Awarding points to Dan, for the most in-depth resposnes.