Thursday, March 26, 2015

Cisco ASA: Configuring FTP Access To FTP Server

I was asked by one of my customers to configure the Cisco ASA firewall to allow FTP traffic to their FTP server internally.  Below is the topology and the config I put in.  This is for the 8.3 code and higher.  I think I had 9.1 on this one.  I highlighted the notes so that you might know the commands purpose.
Now, the config:
*** Create the service for reference ***
object service FTP
 service tcp destination eq ftp 

*** Create the internal IP for the client ***
object network FTP_Inside

*** Create the external IP for the client ***
object network FTP_Outside

*** Allow the external ACL to allow the traffic ***
access-list acl_inbound extended permit tcp any host eq ftp 

*** Create the static NAT translation for that service only ***
nat (inside,outside) source static FTP_Outside FTP_Outside destination static FTP_Inside FTP_Inside service FTP FTP


  1. Very nice. Will this config handle both active and passive modes, or does that require any kind of "fixup" to be applied?

    1. Good question. The customer had not said anything to me about it. But I'm thinking it's for active only. I think for passive to work, you would probably have to do a "inspect ftp" on the default policy, which I didn't do, I'm sure. But, I think it's on by default in the default policy.


Your comment will be reviewed for approval. Thank you for submitting your comments.