cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1210
Views
0
Helpful
2
Replies

Setting up an FTP server that allows ACTIVE (PORT) connections

Arvo Bowen
Level 1
Level 1

I have an FTP server setup that I'm testing out.  I want to allow PORT connection requests to be made to the server.  The server is on a local LAN that is behind the firewall and I have the following set up for it...

 

I have created my NAT rules using a one-to-one NAT rule to allow my external IP address 84.84.84.84 to be forwarded to my server on the local LAN (192.168.44.22).

Untitled.png

 

I have added my access rules to the outside interface.

Untitled2.png

 

I can connect to the test FTP server to send and receive FTP commands with no issues.  When I try to send and data over the data ports (4000-4500) I get a connection error.

 

I was hoping that someone could help me us packet tracer telling me what I should be testing for.  I think I might be using it incorrectly as it tells me there are no issues for what I'm testing.  I have also tried to search logs for any errors that show dropped/blocked packets for IP/ports.

 

Thanks for any help you can provide!

2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

May be you need to run debug command level to get more information: (since you mentioned FTP working, so inspect FTP already there in the config)

 

try fixup protocol

 

https://www.cisco.com/c/en/us/support/docs/content-networking/file-transfer-protocol-ftp/200194-ASA-9-x-Configure-FTP-TFTP-Services.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

run packet-tracer to get an indication of how the packet is handled through the firewall:

packet-tracer input outside tcp 8.8.8.8 12345 84.84.84.84 4000 detail

if that is showing as successful (make sure the correct NAT statement is being hit also) run a packet capture on both the inside and outside interfaces.

capture capin interface inside match ip host 192.168.44.22 any

capture capout interface outside mat ip any host 192.168.44.22

show cap capin

show cap capout

If you have a specific host to test from then change the "any" keyword with the IP of the specific host.

If you see FTP traffic leaving the inside interface towards 192.168.44.22 but nothing in return then the issue is somewhere between the ASA and the inside host or on the inside host itself.

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card