https://community.cisco.com/t5/network-security/allowing-passive-sftp-traffic-via-cisco-asa/m-p/2624931#M196176 <P>Look like FTP inspection is NOT enabled your ASA because your own ASA is blocking your traffics.&nbsp; Can you share the output of the command "sh run policy-map global_policy"?</P> Thu, 12 Mar 2015 17:59:34 GMT cciesec2011 2015-03-12T17:59:34Z https://community.cisco.com/t5/network-security/allowing-passive-sftp-traffic-via-cisco-asa/m-p/2624927#M196172 <P>&nbsp;</P><P>Hi Everyone,</P><P>&nbsp;</P><P>I need to allow passive FTP traffic via ASA.</P><P>Client PC is inside out network and Server is outside our network.</P><P>As FTP data channel uses random ports for data transfer.</P><P>Should i need to open additional ports on ASA in addition to port 21 to make this work?</P><P>&nbsp;</P><P>Regards</P><P>MAhesh</P> Tue, 12 Mar 2019 05:37:59 GMT https://community.cisco.com/t5/network-security/allowing-passive-sftp-traffic-via-cisco-asa/m-p/2624927#M196172 mahesh18 2019-03-12T05:37:59Z https://community.cisco.com/t5/network-security/allowing-passive-sftp-traffic-via-cisco-asa/m-p/2624928#M196173 <P>some clarifications here:</P><P>&nbsp;</P><P>FTP uses port 21 for command &amp; control and random port for data transfer.&nbsp; In your case, since you're using passive FTP, the client will initiate both command &amp; control and data transfer.&nbsp; FTP server does NOTHING.</P><P>&nbsp;</P><P>sFTP (aka, scp) uses tcp port 22 (or whatever port you specifiy in the sshd_config).</P><P>&nbsp;</P><P>By design, inside hosts can access hosts on the outside you just need to enable "fix-up protocol ftp 21" and that will take care of both Active &amp; Passive FTP from hosts on the inside to outside network.</P> Thu, 12 Mar 2015 15:31:44 GMT https://community.cisco.com/t5/network-security/allowing-passive-sftp-traffic-via-cisco-asa/m-p/2624928#M196173 cciesec2011 2015-03-12T15:31:44Z https://community.cisco.com/t5/network-security/allowing-passive-sftp-traffic-via-cisco-asa/m-p/2624929#M196174 <P>&nbsp;</P><P>FTP inspection is enabled on the ASA.</P><P>I will ask the user to test the connection and will update you if it works without opening up additional</P><P>ports for data channel.</P><P>&nbsp;</P><P>Regards</P><P>MAhesh</P> Thu, 12 Mar 2015 16:28:21 GMT https://community.cisco.com/t5/network-security/allowing-passive-sftp-traffic-via-cisco-asa/m-p/2624929#M196174 mahesh18 2015-03-12T16:28:21Z https://community.cisco.com/t5/network-security/allowing-passive-sftp-traffic-via-cisco-asa/m-p/2624930#M196175 <P>We tested with user PC and he is not able to connect.</P><P>Check the firewall log it shows</P><P>&nbsp;</P><P><STRONG>Mar 12 2015 16:11:26: %ASA-4-106023: Deny tcp src Internal:192.168.50.21/58840 dst outside:205.x.x.x/50009 by access-group "Inside_access_in" [0x4e3d0ed5, 0x0].</STRONG></P><P>&nbsp;</P><P>Seems it is trying to connect on port 50009.</P><P>I asked vendor to send us list of Data channel ports which they have assigned to server?</P><P>&nbsp;</P><P>Regards</P><P>MAhesh</P> Thu, 12 Mar 2015 17:13:05 GMT https://community.cisco.com/t5/network-security/allowing-passive-sftp-traffic-via-cisco-asa/m-p/2624930#M196175 mahesh18 2015-03-12T17:13:05Z https://community.cisco.com/t5/network-security/allowing-passive-sftp-traffic-via-cisco-asa/m-p/2624931#M196176 <P>Look like FTP inspection is NOT enabled your ASA because your own ASA is blocking your traffics.&nbsp; Can you share the output of the command "sh run policy-map global_policy"?</P> Thu, 12 Mar 2015 17:59:34 GMT https://community.cisco.com/t5/network-security/allowing-passive-sftp-traffic-via-cisco-asa/m-p/2624931#M196176 cciesec2011 2015-03-12T17:59:34Z https://community.cisco.com/t5/network-security/allowing-passive-sftp-traffic-via-cisco-asa/m-p/2624932#M196177 <P>FTP inspection is enabled</P><P>&nbsp;</P><P>sh run&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; policy-map&nbsp;&nbsp; global_policy<BR />!<BR />policy-map global_policy<BR />&nbsp;class inspection_default<BR />&nbsp; inspect pptp<BR />&nbsp; inspect ftp<BR />&nbsp;</P><P>Regards</P><P>MAhesh</P> Thu, 12 Mar 2015 18:06:57 GMT https://community.cisco.com/t5/network-security/allowing-passive-sftp-traffic-via-cisco-asa/m-p/2624932#M196177 mahesh18 2015-03-12T18:06:57Z https://community.cisco.com/t5/network-security/allowing-passive-sftp-traffic-via-cisco-asa/m-p/2624933#M196178 <P>try this:</P><P>&nbsp;</P><P>1)&nbsp; no fixup protocol ftp 21</P><P>&nbsp;&nbsp;&nbsp;&nbsp; fixup protocol ftp 21</P><P>&nbsp;</P><P>then try the connection again</P> Thu, 12 Mar 2015 18:42:09 GMT https://community.cisco.com/t5/network-security/allowing-passive-sftp-traffic-via-cisco-asa/m-p/2624933#M196178 cciesec2011 2015-03-12T18:42:09Z https://community.cisco.com/t5/network-security/allowing-passive-sftp-traffic-via-cisco-asa/m-p/2624934#M196179 <P>&nbsp;</P><P>Tried the connection as you said.</P><P>Same thing.</P><P>Also i got port range from vendor then i open up data ports from 50000 50010</P><P>After that user was able to connect fine.</P><P><STRONG>Normally we do not need to open Data ports if FTP inspection is enabled right?</STRONG></P><P><STRONG>So does it mean the ASA OS i am using can have bug?</STRONG></P><P>&nbsp;</P><P>Regards</P><P>MAhesh</P> Thu, 12 Mar 2015 20:46:37 GMT https://community.cisco.com/t5/network-security/allowing-passive-sftp-traffic-via-cisco-asa/m-p/2624934#M196179 mahesh18 2015-03-12T20:46:37Z