So, since the ftp server is on the inside and connections are going to come from the outside to inside we need to look at the below zone pair out-zone to in-zone.
zone-pair security sdm-zp-out-in source out-zone destination in-zone
service-policy type inspect sdm-inspect-voip-in
Now, the above zone pair is calling this below policy-map
router# sh run policy-map sdm-inspect-voip-in
policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-inspect-staticnat-in
pass
class type inspect SDM-Voice-permit
pass
class type inspect sdm-nat-ftp-1
inspect
class class-default
drop
When you look closely into the first class-map under the policy-map you see that it is the one matching the ftp traffic.
class-map type inspect match-all SDM-inspect-staticnat-in
match access-group name staticnat
ip access-list extended staticnat
remark SDM_ACL Category=1
permit tcp any any eq ftp
I see two problems
1. class-map uses a match-all
Next time you add another protocol like smtp to the same access-list staticnat - this will not work because of the match-all
2. it just has a pass
When you just say pass, it will not allow the response traffic back automatically. It will expect a pass for the response traffic as well.
So, I would do two things:
connect to the router via command line (telnet or ssh) on enable prompt (# prompt) and type the following commands.
router#conf t
class-map type inspect match-any SDM-inspect-staticnat-in
class-map type inspect match-any SDM-inspect-staticnat-in
no pass
inspect
Now try to establish ftp to this server on the inside and see if it works.
-KS
