i've problems connecting to an ftp-server behind a cisco asa firewall using passive mode. ftp works using active and "extended passive" mode, however: when i turn off "extended passive" (epsv in ftp console client app), it does not work anylonger — all commands result in a timeout. however we need non-"extended passive" mode for some application we use.
any ideas?
thanks,
harald
UPDATE / SOLUTION
as it turns out, it was not exactly ASA's fault, or was it? i had to turn of masquerading in proftpd configuration. i had the masquerading-address in proftpd-config set to the IP address of the ftp-server domain and that resulted in unexpected things when passing traffic through the asa. now — without address masquerading — everything works very well.
Best Answer
Ancient topic, but I ran into similar problems recently and figured my $.02 might help somebody.
In my case, we're running IIS 7.5 behind a slightly older version of ASA, which we're in the process of replacing. We have an existing FTP site and my plan was to simply add FTPS support with the certificate & maybe getting our network admins to open up a few ports. IIS has a similar masquerade setting for each FTP site named "External IP Address of Firewall", which is, itself, misleading.
the TL/DR version: If your FTP server allows you to specify a masquerade IP & a range of ports used for PASV connections, you SHOULD be able to fix this by opening up those ports & disabling ftp inspection.
Due to some some other constraints, I wasn't able to get inspection disabled on our ASA, so I had to make some compromises. Here's what I observed/learned:
So in our case, when I set the masquerade IP, I was able to connect just fine via FTPS, but regular FTP would fail. When I removed the masquerade IP, I was still able to connect to both FTP and FTPS using CuteFTP, but our primary client wasn't able to connect to FTPS. (their system wasn't "smart" enough to translate the non-routable IP...)
So my lame workaround was using two separate sites: one that used a masquerade IP and required SSL, the other site that didn't.
TMI, but maybe it helps somebody work through this.