Enabling passive FTP through Cisco ASA

As I explained 1:1 NAT (with example for PPTP passthrough) in this post you can also add more PAT just based on your access-list. I recognized a problem at one customer that FTP needs an inspection firewall entry. The customer runs a passive FTP server on tcp port 3002 which I forwarded to inside:

object network MyFTPserver
host 192.168.23.33

object network MyFTPserver
nat (inside,outside) static 88.77.66.24

access-list world_in extended permit tcp any object MyFTPserver eq 3002

access-group world_in in interface outside

He could connect from outside but can’t list the folders so I configured a inspection firewall setting:

class-map class_ftp
match port tcp eq 3002

policy-map global_policy
class class_ftp
inspect ftp

service-policy global_policy global

After this input the problem was solved!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.