By default a Cisco ASA version 7.0 and above will not allow Active FTP. This used to be configured using the 'fixup ftp' commands in PIX but in ASA you now have to configure this in your service policy.
What you need to do is make a class map based on a ACL to match the interesting traffic So make sure that this matches the traffic and the port ftp.
Next create a policy map based on this class map and then in the policy map inspect ftp.
This policy map can then be assigned to the service policy global for the device.
Here is our example.
First is the acl called csc_out which matches all traffic from the inside VLANS to any destination on http and ftp
access-list csc_out extended permit tcp object-group obj-inside-vlan any eq www
access-list csc_out extended permit tcp object-group obj-inside-vlan any eq ftp
Next I have a class map to match our acl
class-map csc_outbound_class
match access-list csc_out
Then a policy map to match our class map and then inspect ftp
policy-map csc_out_policy
class csc_outbound_class
inspect ftp
Then finally we add the policy map to the service policy
service-policy csc_out_policy interface Inside
Now active FTP will work and you will no longer get the illegal port 500 command error.
No comments:
Post a Comment