Re: ftp traffic on asa with default inspection

parthibanp · ‎01-04-2006

HI

I have configured ASA with 4 interface viz inside, outside, dmz, wanzone.

Highest sec being inside and lowest being outside.

When i try to do an ftp from inside to outside that is a public ip iam not able to do passive ftp with def. ftp inspection. Iam able to do only active mode ftp. Should i configure advanced ftp inspection for passive mode to work. I think i cannot disable ftp inspection becoz this will disable inbound ftp.

Please clarify

Advance thanks

Regards

Parthiban

wong34539 · ‎01-10-2006

The match default-inspection-traffic command specifies the protocols and ports that are inspected by default. See this command in the Cisco Security Appliance Command Reference for a list of default inspection traffic. The security appliance includes a default global policy that matches the default inspection traffic, and applies inspection to the traffic on all interfaces.

You can specify a match access-list command along with the match default-inspection-traffic command to narrow the matched traffic. The class excludes any protocol or port information specified in the match access-list command that is already included in the match default-inspection-traffic command.

otambalkar · ‎01-12-2006

Also with passive ftp, the client initiates connection to port 21 of the ftp server. The ftp server responds from port 21 to the client and sends a dynamic port for data transfer connections. The client then initiates connections to that dynamic port on the ftp server.

You will have to allow tcp traffic from your inside network to ports greater that 1023 for the ftp servers that allow only passive ftp. For e.g.

access-list INSIDE extended permit tcp object-group insidehosts gt 1023 object-group passiveftpservers gt 1023