Hi.
I have a situation where standard FTP from the inside to DMZ works fine, however, from the outside to the DMZ it only works for passive FTP (or that's what i'm told).
In brief:
The only FTP fixup is 21.
On the outside I am told that there are 2/3 FTP ports in the range 19XX. There is an access-list for each above port permitting tcp from 'any' to that port including standard ftp & ftp-data (20 & 21). I have a static mapping the global IP to the FTP's DMZ local IP address.
i.e. access-list blah permit tcp any global_ip eq 19XX
static (DMZ, Outside) global_ip DMZ_FTP_IP netmask 255.255.255.255
The access-group is applied to the outside interface
The DMZ access-list permits the FTP ip address back out to 'any' using ip as the protocol. The access-list is bound to the DMZ interface.
I assume I don't need another fixup as the outbound connection, if not specifically allowed in an access-list, would be initiated via a temporary conduit for the session duration.
Have I missed something.
Regards
Darren