Enable DOS FTP client through ASA

This configuration allows both active mode and pseudo-passive mode connections from the DOS FTP client provided with windows on a cisco ASA firewall. It has been tested with ASA code 7.2(3)

!–Enable FTP Passive mode
ftp mode passive

!–Create inspection_default class-map to match the ASA’s default inspection traffic
class-map inspection_default
match default-inspection-traffic

!–Add the ‘inspection_default’ class to the global_policy w/ inspect ftp directive
policy-map global_policy
class inspection_default
inspect ftp

!–Apply the policy globally to all interfaces
service-policy global_policy global

Essentially this enables passive FTP while simultaneously turning on advanced application inspection and what was once known as ‘protocol fixup’ for active FTP.

Leave a Reply

Your email address will not be published. Required fields are marked *