06-19-2013 12:24 PM
In your case:
First create a NAT rule:
source zone: outside
destination zone: outside
destination interface: none (could be set to the physical interface if you wish)
source address: any
destination address: outside_ip
service: any (or set TCP21 along with the portrange you have defined for passive ftp preferly)
source translator: none
destination address: inside_ip
Then create a security rule:
source zone: outside
source address: any
destination zone: inside
destination address: outside_ip
application: ftp
service: application-default (or set TCP21 along with the portrange you have defined for passive ftp)
action: allow
profile: recommended to use an IPS profile thats configured according to: critical, high, medium: block - low, information: default
options: log on session end (enable log on session start for troubleshooting)
You could also use a network range instead of outside_ip. For example outside_range if thats what you mean by "any outside"?
