After installing a Cisco ASA 5505 on our network and setting it to inspect FTP (much like the PIX fixup command), passive FTP stopped working when connecting to some remote servers. It turns out the ASA was blocking the responses to a PASV request if the remote FTP server was a Microsoft IIS server behind NAT. It seems the Cisco is trying to prevent a very out of date and useless distributed denial of service (DDoS) attack that could be initiated when using passive FTP data transfers. It comes to this conclusion because the IP address advertised in the PASV response (the IIS server’s internal IP address) is in fact different from the public IP address which the Cisco observed during the FTP connection. When the Cisco sees this it instantly drops the connection claiming it detected a bounce attack.

What’s the solution? I can only figure a few:

1. Cisco please create an option that will allow users the ability to disable checking for FTP bounce attacks! This is the best route to fixing this. FTP bounce attacks are ancient and almost every FTP client out there ignores the IP address octets in the response to a PASV request which makes this attack out of date. Another reason for this being the best solution is most FTP connections are initiated by users who know what they’re doing and only connect to trusted FTP sites.
2. Cisco could also check if the IP address octets are within the registered address ranges of internal IP addresses. If it detects that the address is an internal IP then it should let the response through. The whole object of a bounce attack is to flood a server somewhere with thousands of connection requests. It is not feasible to imagine that you can flood an internal IP without the help of the entire internet. For a server with an internal IP address to be denial of serviced it would take an entire company with thousands of computers to all access this malicious FTP site at the same time to DoS their own internal server… Highly unlikely.
3. Plead to Microsoft to add an option for specifying the external IP address within IIS. IIS has been around years without this option so I doubt they’re considering this anytime soon. In which case you could choose a different FTP server.
4. Use a firewall comparable to a Cisco ASA or PIX that will monitor your server FTP connections (using fixup or inspect) and replace any private IP addresses with public IP addresses.
5. Disable fixup or inspect FTP on your ASA or PIX and just use passive FTP. This is the route I chose. Ofcoarse you can no longer use active FTP when you do this! I decided that I did not care to use active FTP as passive is preferable anyway.