We are migrating from ASA 5525 to FTD 2110 running FTD/FMC 18.104.22.168 and cannot seem to get active-mode FTP to work through the FTD for a client on the inside connecting to an external Internet server on the outside. The initial control channel works, but the data channel fails to connect (passive-mode FTP works ok). With our ASA, as long as "inspect ftp" is enabled, the data channel gets pin holed through and NAT rewrite also occurs and active-mode FTP works. I cannot seem to get the same functionality with the FTD. I have confirmed that "inspect-ftp" is in the global_policy, and have used either a port 21 match and/or an FTP application match in my ACP, and it still does not work with active-mode. I also, read that another option is to use a prefilter/fastpath to bypass Snort, but this isn't working either. I am suspecting a NAT issue, as I see the following in a Capture w/Trace:
Action: drop Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
The NAT is an auto NAT with PAT configured the same as we have on our ASA. Has anyone else successfully configured active-mode FTP through an FTD, and can offer some insight into what may be going on here?
More people are working remotely, and this increases the risk of security breaches and the difficulty in defending remote workers where they work and securing the devices they use.
Learn about Cisco Remote Secure Worker solutions that verify workers, secu...
ISE Node Terminology
Policy Administration Node
Monitoring & Troubleshooting Node
Policy Services Node
Platform Exchange Grid Node
The single plane of glass for ISE administration and configuration operatio...
On December 8, FireEye reported that it had been compromised in a sophisticated supply chain attack: more specifically through the SolarWinds Orion IT monitoring and management software. The attackers leveraged business software updates in order to distr...
About this Document
Cisco Secure Endpoint (formerly AMP for Endpoints) is a comprehensive Endpoint Security solution designed to function both as a stand-alone tool, and as a part of the architecture of natively integrated Cisco and 3rd par...