Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1104
Views
0
Helpful
1
Replies

Passive FTP with a Cisco 5505

bryvic2011
Level 1
Level 1

‎01-05-2012 11:13 AM - edited ‎03-11-2019 03:10 PM

Disclaimer: I'm not a network expert or Cisco certified...

Scenario:

I have a few remote locations that use a Cisco 5505 to connect to my server through a VPN Tunnel. When they establish a connection through the tunnel they use FTP with the PASV command and successfully send and receive data. No issues. The same remote locations will connect to external FTP sites without a VPN tunnel and attempt to use FTP with PASV and the connection fails after the PASV command is issued.

Also, when these sites connect to my FTP server all their internal addresses are configured with a Dynamic HIDE NAT. They don't use this NAT rule when they connect to other FTP sites. (I'm fairly certain about this last statement.)

The question is why would an FTP connection through a VPN Tunnel work with PASV, but on a non-tunneled connection the Cisco 5505 blocks the connection.

I would think that the connection should drop in both scenarios. What makes the VPN Tunnel connection special to prevent the connection drop? 

(I just learned about the fixup protocol with the group policy change to resolve the problem. So I can resolve the issue. But I'm interested in knowing why there is a discrepancy.)

I did ask our network team and they thought it was somewhat strange too.They suspect the tunnel has something to do with it, but I'm looking for a solid answer. I also haven't found any prior discussions about this particular scenario.

Thanks,
Walt

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

‎01-05-2012 11:28 AM

Hello Walter,

As you might now the FTP protocol opens dynamicly additional ports to send the data, so the ASA if is not inspecting this protocol over to the application layer will drop the packet, because he will receive a packet from a non-existing connection from the lower security level (outside).

To solve this you just need to let the ASA know " Inspect the FTP traffic up to the application layer, also known as Deep Packet Inspection (DPI) so you can know the port the FTP server and the client will use to send the traffic", then the ASA will dinamicaly open that port and the connection will get stablished.

Do you see what I mean, let me know if its clear enough.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card