I am working on a zone-based firewall for a new location. I am currently working on getting connections to infrastructure devices (2960 switch, WAVE 574). I have a zone pair defined with an outside and a INFRA zone. The class map is a match access-group line, and the access-list is working for ssh and syslog. However I have teh WAVE device at a software version higher than my current standard (brand-new device) and have to ftp the downgrade code to the device from the ftp server. I have the following in the access-list
permit tcp host <wave574> host <ftp server> eq ftp (3 matches)
As you can see it has matched 3 times. The builtin WAAS procedure is to ftp to the server, change to binary mode, go to PASV mode, CWD to the specified directory, gets successfull, sends PASV again, then tries to download the file. At that point it breaks, giving a timeout error. The logs show tcp being denied between the wave device an the ftp server, both on upper ports. FTP handling should not be a problem, the firewalls have been handling it for years. What am I missing here? I checked the rest of the ACL above the ftp line, that is the only line that could possibly be hit by the addresses involved.
Thanks.