Introduction to Concepts:
FTPS and SFTP are one of the most common problems that we face today with the ASA firewall running, practically, any version. The most common issue is that in SFTP (FTP over SSH), both control and data channel are encrypted using port 22, on FTPS (FTP over SSL) it uses port 990 for the control channel (this information is encrypted) and the data channel goes on plain text.
The ASA firewall has issues in regards of handling this type of connections. Normally when regular FTP is used, the ASA sees the payload on the FTP control channel and does the proper NAT translations when using passive mode, when using active, he sees the IP addresses and let the data connection to be established.
On the other hand, since on the secure methods (FTPS and SFTP), the control channel is encrypted, the ASA has not way to determine the ports being used .
Scenarios
Scenario 1
FTP server working on Active mode, located on the inside and the clients on the outside. In this scenario, the host on the outside would make a connection on port 990 to the inside, if the FTP server has an static one to one, everything is going to work fine, if the server has a port forwarding, you need to make sure that is the same IP address that it uses to make outbound connection to the internet, here is why:
Once the control channel has been established (990/22), the server on active mode is going to set the data channel (normally on port 20). Besides telling the client that the port is 20, he will send a SYN packet to the client on that port. If the SYN on port 20 gets to the client with a different IP, the connection is never going to be completed, what you are going to see is only SYN requests and the ftp session will hang.
Bottom line, make sure that the IP that ftp server uses is the same for outbound and inbound ftp connections.
Scenario 2
Client on the inside and server on the outside, Server on Passive mode.
Same thing, client initiates the connection on port 990/22, the server agrees and waits for the client to set the port command. Client initiates the connection to the outside world in that n+1 port to the server and everything is going to work fine.
This may sound a little bit complicated, what you need to understand is that the firewall cannot open the Data channel because the Control channel is encrypted. Make sure that the data channel is seeing by the firewall as a regular connection.