need to communicate from behind firewall to public ftp site and ports

arcolino11 · ‎03-22-2013

hello all, I have a asa5510 my lan sits behind it, its my firewall. I have a user that needs to ftp to an outside address the ftp client needs to be on port 2001 and also open a range of outbound ports only to communicate with the ftp site. I tried an access list that did not work I tested connection to the ftp ip outside my network it works so its a command on the firewall any ideas? I also tested telnet to the public ip on port 20021 it works off network does not work on any ideas? let me give more info client is behind firewall they need to connect to ftp public ip on port 20021 and need outbound ports allowed as well

Andrew Phirsov · ‎03-23-2013

All you should do is permit traffic to tcp/21 from inside to outside, i.e.

access-list INSIDE_TO_OUTSIDE extended permit tcp any host IP_OF_FTP_SEVER eq 21

and check if ftp-inspection is enabled under global_policy:

policy-map global_policy

class inspection_default

inspect ftp

jocamare · ‎03-23-2013

Basically you want to connect to an external FTP server using a non-standard port.

If that's the case, you can configure a class-map that matches the port and applies the FTP inspection to it.

class-map CSM_CLASS_MAP_ftp_1

match port tcp eq 20021

match port tcp eq 21

class-map CSM_CLASS_MAP_1

match default-inspection-traffic

!

policy-map global_policy

class CSM_CLASS_MAP_1

inspect dns maximum-length 512

inspect netbios

inspect sunrpc

inspect tftp

inspect xdmcp

class CSM_CLASS_MAP_ftp_1

inspect ftp

malshbou · ‎03-23-2013

since your client is behind(inside) a firewall, you should try with FTP passive mode as it avoids an incoming data connection .

if you use active mode, and your client is behine NAT (PAT), you should check (capture) the FTP PORT command at the inside and outside of the firewall to make sure that the client IP is rewritten correctly when leaving the firewall .

Hope this helps

Mashal

------------------ Mashal Shboul