On Thu, Jan 21, 2010 at 6:09 PM, faisal bhura <[email protected]>wrote:
> here is a description of both the active and passive ftp usage : > > when we have the below scenario > > Server—-I(ASA)O—-client > > > a) Passive Client > > Client connects to server’s public IP on port 21, authenticates. After this > client enters passive mode using PASV command. When server receives PASV > command, it generates a message in which client is informed about the port > it needs to connect to for data transfer. However, server uses its own > private IP address in the communication and because firewall is not doing > FTP inspection, it will not modify/translate the payload to the public IP of > server. Hence, client receives private IP address of the server and is > unable to connect for data connection. > > Solution: Enable FTP inspection. > > b) Active Client > > Client connects to server public IP on port 21, authenticates. Then client > sends a PORT command. Server calculates the port to which it needs to > connect to the client and initiates the connection to the port from > source-port TCP/20 (ftp-data). Outbound connection works fine because, by > default outbound traffic is permitted on ASA. > > > FTP Inspection required: NO. > > > > Faisal Bhura > > > > > -- Regards
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
