Kings, Regardless of the interface its received on as soon as the ASA receives traffic destined for TCP21 then it will initiate the FTP inspection (as long as it hasnt been disabled), which knows the detailed traffic flows for active/passive FTP, so it can allow the necessary ports to be opened, and ensure it conforms.
So in answer to your question only port TCP21 needs opening. On the other hand port 20 is used in active FTP connections, and is the source port used by the server to connect to the clients remote port specified during the initial connections setup. So is typically not required to be opened anyway, as this will be handled by inspection on the return flow. HTH Stu On Thu, Jan 21, 2010 at 7:47 AM, Kingsley Charles < [email protected]> wrote: > Hi all > > When the ftp client is on inside and the server is outside, then the ASA > inspection will take care of connection by having dynamic openings. For the > case, when the ftp client is outside and the server is inside, then what > ports should be open in the ACL. > > > > ftp client --------------- outside ASA inside ----------------------- ftp > server > > > Since, the ftp client is outside, if we just open the control port (21), > will it work? > > > *First solution* > > access-list ftpacl permit tcp any any 21 > access-list ftpacl permit tcp any any 20 > > > > > *Second solution* > > > access-list ftpacl permit tcp any any 21 > > > Bit confused, which solution should be use? > > > With regards > Kings > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Regards, Stuart Hare CCIE #25616 (Security), CCSP, Microsoft MCP Sr. Support Engineer – IPexpert, Inc. URL: http://www.IPexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
