thanks for your help

from a wget ftp://xxxxxxx/xxxxx.tar.gz  PASV Don't pass

Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD /xxxxxxx ... done.
==> SIZE xxxxx.tar.gz ... 6687842
==> PASV ... couldn't connect to xxxxxx port 55107: Connection timed out
Retrying.

i began to configure inspection map but no change ...

Can you check the logs "sh logg | i ip address" to see what is dropped?

It seems you are using pasive mode.

I would suggest checking the interface ACL where the client is connected to. And keep the "inspect ftp" in the policy map.

I  hope it helps to move this forward.

PK

no things appears with the log CMD : sho log | ip xxx.xxx.xxx.xxx

with ethier the the source or destination @ddr

i created 2 policies rules matching FTP an FTP-DATA from my NIC

i put accept in my NIC IN ACCESS LIST for FTP and FTP-DATA

and no things happen ?? still stop @ passif negociation PASV ...

if i open the range TCP 1024-65535 in my NIC IN ACCESS LIST THAT'S OK

but i don't want it to be opened, so that i can't know the state of the connection if it's an NEW RELATED OR ESTABLISHED

thank's for your interest

Don't configure FTP inspection for both FTP control and FTP data. You should only configure FTP inspection for FTP control.

If you are using the standard FTP control port, ie: TCP/21, then you do not need to configure any ACL to match the traffic. Just configure it under the default inspection.

After the above changes, please test again, and if it still doesn't work, please post the following:

sh run policy-map

sh run service-policy

sh service-policy

Also, what version of ASA are you running?