Showing results for 
Search instead for 
Did you mean: 

Configuring explicit FTP over TLS outbound on Cisco ASA



We have Cisco ASA and IOS is Post 8.4

I have a few internal systems and servers (see created object group below) called our "user acceptance testing" (UAT) environment (security level 50). They will need access to a publicly accessible FTPS (ftp over tls) server. Do I need to define destination port of 990 like listed below in ACL? What about the data traffic? Do I define a port range on an additional acl to use for return? Do I even need to do this since it is from within my network outbound to a host on internet? (PAT)
FTP on ASA is set as passive

object-group network UAT-****
 network-object object ***uat
 network-object object uat***01
 network-object object uat****01
 network-object object ***uat04
 network-object object UAT-PAT
 network-object object UAT-PAT2

object network ftps.*******.com
 description FTP over TLS site

object-group service FTP-TLS tcp
 description FTP using TLS
 port-object eq 990

access-list uat extended permit tcp object-group UAT-**** object ftps.*******.com object-group FTP-TLS

Why can't people just use SFTP :(


VIP Guru VIP Guru
VIP Guru

that should cover for the FTP, do you have any Global NAT configuration ?


***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: