Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2225
Views
0
Helpful
0
Replies

Issues With Active Mode FTP through FTD

pncisco216
Level 1
Level 1

‎11-01-2019 07:22 AM - edited ‎02-21-2020 09:39 AM

Hello,

We are migrating from ASA 5525 to FTD 2110 running FTD/FMC 6.4.0.6 and cannot seem to get active-mode FTP to work through the FTD for a client on the inside connecting to an external Internet server on the outside.  The initial control channel works, but the data channel fails to connect (passive-mode FTP works ok).  With our ASA, as long as "inspect ftp" is enabled, the data channel gets pin holed through and NAT rewrite also occurs and active-mode FTP works.  I cannot seem to get the same functionality with the FTD.  I have confirmed that "inspect-ftp" is in the  global_policy, and have used either a port 21 match and/or an FTP application match in my ACP, and it still does not work with active-mode.  I also, read that another option is to use a prefilter/fastpath to bypass Snort, but this isn't working either.  I am suspecting a NAT issue, as I see the following in a Capture w/Trace:

Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate

The NAT is an auto NAT with PAT configured the same as we have on our ASA.  Has anyone else successfully configured active-mode FTP through an FTD, and can offer some insight into what may be going on here?

Thank you.

4 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card