Search This Blog

Tuesday 8 May 2012

Cisco ASA, FTP and Illegal Port 500

By default a Cisco ASA version 7.0 and above will not allow Active FTP.  This used to be configured using the 'fixup ftp' commands in PIX but in ASA you now have to configure this in your service policy.

What you need to do is make a class map based on a ACL to match the interesting traffic So make sure that this matches the traffic and the port ftp.

Next create a policy map based on this class map and then in the policy map inspect ftp.

This policy map can then be assigned to the service policy global for the device.

Here is our example.

First is the acl called csc_out which matches all traffic from the inside VLANS to any destination on http and ftp


access-list csc_out extended permit tcp object-group obj-inside-vlan any eq www
access-list csc_out extended permit tcp object-group obj-inside-vlan any eq ftp

Next I have a class map to match our acl


class-map csc_outbound_class
 match access-list csc_out

Then a policy map to match our class map and then inspect ftp


policy-map csc_out_policy
 class csc_outbound_class
  inspect ftp

Then finally we add the policy map to the service policy

service-policy csc_out_policy interface Inside

Now active FTP will work and you will no longer get the illegal port 500 command error.


No comments:

Post a Comment