01-12-2009 12:49 AM - edited 03-11-2019 07:35 AM
I am running into problems with FXP through an ASA. They (the customer) use it to FTP between FTP servers, but start this process from a client.
In this case the client and one of the FTP servers are on the inside, the second FTP server is on the DMZ.
The client starts the process, but when the connection is transferred to the FTP server the ASA (per stateful inspection) sees the different source adres in the session en stops the connection.
Completely logical, but not wanted.
Other then completely disabling FTP fixup, has anyone got a solution for this?
01-20-2009 06:26 AM
I understand from the Problem Description that you need assistance with your
dataport connections to your FTP server
I would say you are hitting one of the following two issues:
You have not enabled ftp inspect
To check run "sh service-policy" and see if ftp is listed in the global
policy.
If not:
Applying Application Layer Protocol Inspection :
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/inspect.html
01-20-2009 11:11 AM
It is actually enabled, and this is the reason the firewall blocks it. It suddenly sees another host in de connection en denies it.
01-12-2017 01:49 AM
Hi
Did you ever find a proper solution for this? Or did you end up with completely disabling FTP inspection?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide