i've problems connecting to an ftp-server behind a cisco asa firewall using passive mode. ftp works using active and "extended passive" mode, however: when i turn off "extended passive" (epsv in ftp console client app), it does not work anylonger -- all commands result in a timeout. however we need non-"extended passive" mode for some application we use.
any ideas?
thanks, harald
UPDATE / SOLUTION
as it turns out, it was not exactly ASA's fault, or was it? i had to turn of masquerading in proftpd configuration. i had the masquerading-address in proftpd-config set to the IP address of the ftp-server domain and that resulted in unexpected things when passing traffic through the asa. now -- without address masquerading -- everything works very well.
Ancient topic, but I ran into similar problems recently and figured my $.02 might help somebody.
In my case, we're running IIS 7.5 behind a slightly older version of ASA, which we're in the process of replacing. We have an existing FTP site and my plan was to simply add FTPS support with the certificate & maybe getting our network admins to open up a few ports. IIS has a similar masquerade setting for each FTP site named "External IP Address of Firewall", which is, itself, misleading.
the TL/DR version: If your FTP server allows you to specify a masquerade IP & a range of ports used for PASV connections, you SHOULD be able to fix this by opening up those ports & disabling ftp inspection.
Due to some some other constraints, I wasn't able to get inspection disabled on our ASA, so I had to make some compromises. Here's what I observed/learned:
So in our case, when I set the masquerade IP, I was able to connect just fine via FTPS, but regular FTP would fail. When I removed the masquerade IP, I was still able to connect to both FTP and FTPS using CuteFTP, but our primary client wasn't able to connect to FTPS. (their system wasn't "smart" enough to translate the non-routable IP...)
So my lame workaround was using two separate sites: one that used a masquerade IP and required SSL, the other site that didn't.
TMI, but maybe it helps somebody work through this.
You need to enable application-level filtering for FTP using the "fixup" command:
There is this article on the PIX that also applies to ASA:
http://www.ciscopress.com/articles/article.asp?p=24685
You may need to create a rule to allow the Pasv ports, not just port 21. In your FTP program usually they have a configuration setting where you can specify customer Pasv port range. Specify some high range of ports say 45200 to 45500 or something like that. Then in your ASA allow those ports to the IP of the FTP server.
The ASAs don't have a fixup command like the PIX did.
Are you using the default inspections on FTP traffic via a service policy rule?
Hi try the following things:
ftp mode passive
policy-map global_policy
class inspection_default
inspect ftp
I am not exactely sure what the first command does, but i saw it in a couple of running configs. just give it a try
but i am quite sure that you need to create a policy-map with an ftp inspection. that's the thing they called fixup protocols on the pix before. it allows the asa to open a session when the opposition choose on whitch port they want to talk.
You could switch to using implicit SFTP instead and then you only need to worry about a single port to open.
I think the command "ftp mode passive" is for the asa (router itself) to send, or recieve configs to or from itself. Not for passing sessions. Just what I've found....