We recently have problems with some clent ftp to our ftp site when they were using ftp active mode. And the session was terminated by the FW, ASA 5580.
%ASA-4-406002: FTP port command different address: 126.96.36.199(10.204.138.136) to ftp.ncbi on interface outside
It was working and don't know why only have trouble recently?
It still works for some clients, like Windows 7 even when it is behind a router doing NAT.
How we should tune the policy for "ftp inspection" on ASA. (Cisco Adaptive Security Appliance Software Version 8.2(4)5 )
Attached is the explantion given for the mentioned log
Explanation A client issued an FTP port command and supplied an address other than the address used in the connection. This error message is indicative of an attempt to avert the site.s security policy. For example, an attacker might attempt to hijack an FTP session by changing the packet on the way, and putting different source information instead of the correct source information. The security appliance drops the packet, terminates the connection, and logs the event. The address in parenthesis is the address from the port command.
Is the address in paranthesis that of the client accessing the FTP service?
Yes, you are right.
The packet I captured in front of FW looks like "PORT 192,168,1,9,19,137\r\n" and "Active IP address: 192.168.1.9 (192.168.1.9)".
Very interestingly, same client accessing an identical FTP server (but it has been put outside of the FW) with a correct PORT Command which has rewrite this private IP to a public IP (the source IP of the packets).
Any idea why this happened? I checed the packets sent from the server to the client before this PORT Command. Seems to me all is identical. I don't see the server has gave the client any hint to use different styles of "PORT Command" to access me.