Enabling passive FTP through Cisco ASA

As I explained 1:1 NAT (with example for PPTP passthrough) in this post you can also add more PAT just based on your access-list. I recognized a problem at one customer that FTP needs an inspection firewall entry. The customer runs a passive FTP server on tcp port 3002 which I forwarded to inside:

object network MyFTPserver

object network MyFTPserver
nat (inside,outside) static

access-list world_in extended permit tcp any object MyFTPserver eq 3002

access-group world_in in interface outside

He could connect from outside but can’t list the folders so I configured a inspection firewall setting:

class-map class_ftp
match port tcp eq 3002

policy-map global_policy
class class_ftp
inspect ftp

service-policy global_policy global

After this input the problem was solved!

Leave a Comment