03-12-2015 08:04 AM - edited 03-11-2019 10:37 PM
Hi Everyone,
I need to allow passive FTP traffic via ASA.
Client PC is inside out network and Server is outside our network.
As FTP data channel uses random ports for data transfer.
Should i need to open additional ports on ASA in addition to port 21 to make this work?
Regards
MAhesh
03-12-2015 08:31 AM
some clarifications here:
FTP uses port 21 for command & control and random port for data transfer. In your case, since you're using passive FTP, the client will initiate both command & control and data transfer. FTP server does NOTHING.
sFTP (aka, scp) uses tcp port 22 (or whatever port you specifiy in the sshd_config).
By design, inside hosts can access hosts on the outside you just need to enable "fix-up protocol ftp 21" and that will take care of both Active & Passive FTP from hosts on the inside to outside network.
03-12-2015 09:28 AM
FTP inspection is enabled on the ASA.
I will ask the user to test the connection and will update you if it works without opening up additional
ports for data channel.
Regards
MAhesh
03-12-2015 10:59 AM
Look like FTP inspection is NOT enabled your ASA because your own ASA is blocking your traffics. Can you share the output of the command "sh run policy-map global_policy"?
03-12-2015 11:06 AM
FTP inspection is enabled
sh run policy-map global_policy
!
policy-map global_policy
class inspection_default
inspect pptp
inspect ftp
Regards
MAhesh
03-12-2015 11:42 AM
try this:
1) no fixup protocol ftp 21
fixup protocol ftp 21
then try the connection again
03-12-2015 01:46 PM
Tried the connection as you said.
Same thing.
Also i got port range from vendor then i open up data ports from 50000 50010
After that user was able to connect fine.
Normally we do not need to open Data ports if FTP inspection is enabled right?
So does it mean the ASA OS i am using can have bug?
Regards
MAhesh
03-12-2015 10:13 AM
We tested with user PC and he is not able to connect.
Check the firewall log it shows
Mar 12 2015 16:11:26: %ASA-4-106023: Deny tcp src Internal:192.168.50.21/58840 dst outside:205.x.x.x/50009 by access-group "Inside_access_in" [0x4e3d0ed5, 0x0].
Seems it is trying to connect on port 50009.
I asked vendor to send us list of Data channel ports which they have assigned to server?
Regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide