This configuration allows both active mode and pseudo-passive mode connections from the DOS FTP client provided with windows on a cisco ASA firewall. It has been tested with ASA code 7.2(3)
!–Enable FTP Passive mode
ftp mode passive
!–Create inspection_default class-map to match the ASA’s default inspection traffic
!–Add the ‘inspection_default’ class to the global_policy w/ inspect ftp directive
!–Apply the policy globally to all interfaces
service-policy global_policy global
Essentially this enables passive FTP while simultaneously turning on advanced application inspection and what was once known as ‘protocol fixup’ for active FTP.