Network Guys

Share your knowledge!

Enabling passive FTP through Cisco ASA

As I explained 1:1 NAT (with example for PPTP passthrough) in this post you can also add more PAT just based on your access-list. I recognized a problem at one customer that FTP needs an inspection firewall entry. The customer runs a passive FTP server on tcp port 3002 which I forwarded to inside:

object network MyFTPserver

object network MyFTPserver
nat (inside,outside) static

access-list world_in extended permit tcp any object MyFTPserver eq 3002

access-group world_in in interface outside

He could connect from outside but can’t list the folders so I configured a inspection firewall setting:

class-map class_ftp
match port tcp eq 3002

policy-map global_policy
class class_ftp
inspect ftp

service-policy global_policy global

After this input the problem was solved!

Leave a Reply

Click on the button to load the content from

Load content

This site uses Akismet to reduce spam. Learn how your comment data is processed.


ekahau Certified Survey Engineer
Post Categories
Post Archives