Howto: Permit active FTP sessions through a Cisco ASA
This is a snippet for the Cisco ASA firewall that permits active FTP sessions to pass through. This is the equivalent to the 'fixup ftp' commands of the previous PIX OS versions. For whatever reason this functionality was no longer enabled by default in my Cisco ASA 5510 [Cisco Adaptive Security Appliance Software Version 7.0(5)].
If you are already using the class-map, policy-map or service-policy commands, this snippet is probably not going to work. You would need to implement the similar commands without disrupting the rest of your service policy. In that case, however, you probably should already know what you are doing.
Here is the snippet:
class-map inspection_default match default-inspection-traffic ! ! policy-map asa_global_fw_policy class inspection_default inspect ftp ! service-policy asa_global_fw_policy globalDownload this snippet (plain text) here.