What's new

Firewall and FTP

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!


Regular Contributor
We recently went from using our ISP's firewall, to an internal Cisco ASA device, when we did this, all of our file transfers broke. After doing a bit of tinkering, I figured out using PASV allowed us to connect out.

With that said, one of our venders only allows ACTIVE FTP connections. Anyone have any ideas as to what would cause it not to allow ACTIVE connections outbound? we currently have no restrictions out outbound traffic, so that shouldn't be an issue.
Here's a pretty good explanation of how Active FTP works:

1) Active FTP hates NAT;
2) if you are blocking all incoming connections, if possible you should create an exception for source port 20.
That was the condition my recommendation was based on.

Client initiates connection to server @ TCP 21 (control port). Auth data exchanged.
Client says, "Hey server, connect to me at port XXX."
Server attempts connection from Port 20, to port XXX.
Client-side firewall makes judgment call: "This is a incoming connection. Should I let it through? (SPI rules) I don't know who the recipient should be. (NAT limitation)" In your situation, it's deciding to drop it.

A smart device would look at the traffic table and assume a correlation between a session on 21 and an inbound connection on port 20. Cisco has a tutorial on configuring an ASA to do just that:


Interestingly, they also use the same diagrams as the link in my previous post. I wonder which party ripped off the other...
Similar threads

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!