Firewall and FTP

[Brandon]

We recently went from using our ISP's firewall, to an internal Cisco ASA device, when we did this, all of our file transfers broke. After doing a bit of tinkering, I figured out using PASV allowed us to connect out.

With that said, one of our venders only allows ACTIVE FTP connections. Anyone have any ideas as to what would cause it not to allow ACTIVE connections outbound? we currently have no restrictions out outbound traffic, so that shouldn't be an issue.

 

[jdabbs]

Here's a pretty good explanation of how Active FTP works:
http://slacksite.com/other/ftp.html

1) Active FTP hates NAT;
2) if you are blocking all incoming connections, if possible you should create an exception for source port 20.

 

[Brandon]

I guess I should add, we're connecting to them, (We're the client, they're the server). We get this:

500 Default data port is not supported. Please use PORT or PASV

 

[jdabbs]

That was the condition my recommendation was based on.

Client initiates connection to server @ TCP 21 (control port). Auth data exchanged.
Client says, "Hey server, connect to me at port XXX."
Server attempts connection from Port 20, to port XXX.
Client-side firewall makes judgment call: "This is a incoming connection. Should I let it through? (SPI rules) I don't know who the recipient should be. (NAT limitation)" In your situation, it's deciding to drop it.

A smart device would look at the traffic table and assume a correlation between a session on 21 and an inbound connection on port 20. Cisco has a tutorial on configuring an ASA to do just that:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml

Interestingly, they also use the same diagrams as the link in my previous post. I wonder which party ripped off the other...