[c-nsp] FTP Problem - Cisco ASA Box
Steve Snodgrass
ssnodgra at pheran.com
Wed Aug 30 15:57:37 EDT 2006
On Wed, Aug 30, 2006 at 03:44:06PM -0400, Paul Stewart wrote:
> I'm having an issue with a new Cisco ASA5520 for ftp'ing to remote
> sites... Some sites work but very very slow and other sites come back
> with "illegal port" error. Have tried active and passive mode transfers
> from my CuteFTP client...
> policy-map AIP
> class AIP
> ips inline fail-open
> !
> service-policy AIP global
I'd say the fact that you have no 'inspect ftp' statement in your global
policy is a red flag. Active mode FTP certainly will not work without it,
though in theory passive mode could still work. Try adding a class
inspection-default with 'inspect ftp' and see if things improve.
--
Steve Snodgrass * ssnodgra at pheran.com * Network and Unix Guru(?) at Large
"If you want to be somebody else, change your mind." -Sister Hazel
More information about the cisco-nsp
mailing list