Problem : FileZilla FTPS, Cisco ASA – 425 Can’t open data connection.

Problem : FileZilla FTPS, Cisco ASA – 425 Can’t open data connection.

Hello, I am trying to setup simple FTPS using both the FileZilla Client and FileZilla server.  The FTPS server istelf is behind a Cisco ASA Firewall.  After configuring both the FileZilla FTPS server and the Cisco ASA, I can connect to the FTPS server, but cannot transfer files or get a directory listing.  The error is “425 Can’t open data connection.”

Now I know this normally is a PASSIVE FTP issue, so here’s what I’ve done so far:

* Set both the FTP Client and Server to default to PASSIVE mode.
* Set the FTP Client to use implciet TLS (FTPS).
* Set FTP server to listen on port 22, and only allow encrypted FTP.
* Configured FTP server to use prots 3500 to 3600 for PASV port ranges
* Configured the ASA to forward ports 880, 22, and 3500-3600 (Pasv port range)
* Mande sure ‘inspect ftp’ is configured on ASA (to fixup FTP traffic)

Solution: FileZilla FTPS, Cisco ASA – 425 Can’t open data connection.

It sounds like you’re mixing up FTPS and SFTP a bit.  FTPS still uses 21/tcp as it’s control channel (in explicit mode) while SFTP uses 22/tcp for all traffic.  For implicit mode, you want to make sure 990/tcp and 989/tcp are forwarded.
There’s not much point in using the ‘inspect ftp’ option as the ASA will be unable to inspect anything on the data channel once encryption is engaged.  For active FTP, you’ll need to specify a specific port range on the FileZilla server and make sure those are covered in your inside_in access-list if you have one.  The passive port forwarding still looks good though.

Personally, due to the headaches of running FTP and FTPS through firewalls, I’ve just standardized on using SFTP (which does everything on a single TCP port) for this sort of thing.  The FileZilla client fully supports it, but the FileZilla server doesn’t.  FreeFTPd works very nicely though.