We're having trouble getting to our FTP server from behind a Cisco ASA firewall that we just installed. We've got HTTP and other protocols working, but FTP doesn't seem to work properly.
I can connect to the server, but I can't do any commands in it. Which I think has something to do with passive and active FTP modes.
Is there an issue regarding a negotiated port that I'll never really know until after the server has connected?
-
I would check to make sure the DNS Inspect Map is turned off. I have seen alot of problems with both FTP and SMTP when the asa is using the default Inspect maps.
From Zypher -
I'm guessing you're having problems with active FTP. You're looking for the following:
class-map inspection_default match default-inspection-traffic ! ! policy-map asa_global_fw_policy class inspection_default inspect ftp ! service-policy asa_global_fw_policy globalThe ASA doesn't have a "fixup ftp" like the PIX did, but this will do what you need.
From Evan Anderson -
You could just direct your users to use passive FTP as this will initiate the data transfer from the inside (assuming all outbound connections are allowed) as opposed to the server that you're FTPing to, initiating it....which is what is causing your problem.
From GregD
0 comments:
Post a Comment