Hello,
We are migrating from ASA 5525 to FTD 2110 running FTD/FMC 6.4.0.6 and cannot seem to get active-mode FTP to work through the FTD for a client on the inside connecting to an external Internet server on the outside. The initial control channel works, but the data channel fails to connect (passive-mode FTP works ok). With our ASA, as long as "inspect ftp" is enabled, the data channel gets pin holed through and NAT rewrite also occurs and active-mode FTP works. I cannot seem to get the same functionality with the FTD. I have confirmed that "inspect-ftp" is in the global_policy, and have used either a port 21 match and/or an FTP application match in my ACP, and it still does not work with active-mode. I also, read that another option is to use a prefilter/fastpath to bypass Snort, but this isn't working either. I am suspecting a NAT issue, as I see the following in a Capture w/Trace:
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
The NAT is an auto NAT with PAT configured the same as we have on our ASA. Has anyone else successfully configured active-mode FTP through an FTD, and can offer some insight into what may be going on here?
Thank you.