Showing results for 
Search instead for 
Did you mean: 

ASA 5510 not working passive FTP, Active works, help!

Level 1
Level 1

I inherited an issue on a production firewall, pertaining to a new FTP rule they put in.  The config is a bit out of order from what I’d normally do, I’m guessing due to being put in by GUI and not CLI.  Here is what is pertaining to the FTP, I believe:

object network XXXXX

 host In.ter.nal.IP


Creating the FTP service group:


object-group service DM_INLINE_TCP_1 tcp

 port-object eq ftp

 port-object eq ftp-data


Granting Server access to the service:


access-list INTERNET extended permit tcp any object XXXXX object-group DM_INLINE_TCP_1


Creating a 1:1 NAT for Server:


object network XXXXX

 nat (inside,outside) static Ex.ter.nal.IP


And granting the INTERNET access list access to the outside connection:


access-group INTERNET in interface outside


Then the parts pertaining to passive FTP are here:


policy-map global_policy

 class inspection_default

  inspect ftp


ftp mode passive


So I can hit it active, but not passive.  Passive fails to connect the data stream on whatever port it requests it from.  Suggestions?

6 Replies 6

The command "ftp mode passive" doesn't relate to your problem. It's for the ASA being the FTP-client.

In the service-object-group, you don't need ftp-data. With a correct config, the data-port will be allowed dynamically.

So, why doesn't it work. My first assumption would be that you have not applied the policy-map to the ASA:

service-policy global_policy global

service-policy global_policy global is in there, sadly.  Sorry, I should have posted that as well...

I'm unfamiliar with what ftp-data even does; I've never used it before.

My other thought is that I have this:


access-group INTERNET in interface outside

but no inbound listed of any kind.  Typically, this firewall was mainly used for web servers, so I'm thinking there is the potential that no inbound was ever configured.  Then again, I can get in on Active FTP.


The interfaces show this:

interface Ethernet0/0
 description Internet Interface
 nameif outside
 security-level 0
 ip address Ex.ter.nal.IP
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address In.ter.nal.IP



Am I on the right track?

  1. what is the output of "sh service-policy inspect ftp"?
  2. Is passive FTP working when the client is also on the inside?

Right now, I only have the config to work with, but both passive and active work inside the firewall, so it's not a server issue.


I feel like maybe it is the service group DM_INLINE_TCP_1.  As you said, ftp-data is not needed, so we could feesably ditch the object group all together and instead do a line like:


access-list INTERNET permit tcp any object SERVERNAME eq ftp



> access-list INTERNET permit tcp any object SERVERNAME eq ftp


yes, that's all that is needed for access-control to the server.

OK, so I deleted the DM_INLINE_TCP_1 from the ACL, removed the service group, then added:


access-list INTERNET permit tcp any object SERVERNAME eq ftp


Same result as before, I can get in active, but not passive.  I'm really stumped...


They are running version 8.4 (2), are there known issues with FTP?


Additionally, they want to run SSL for the username and password, but not for the data connection...any thoughts on that?

Review Cisco Networking for a $25 gift card