In a normal days FTP client initiates a session to a server by opening a “command channel” connection to TCP port number 21 (where authentication and authorization magic is happen). After this a file transfer is requested by the client by sending a PORT command to the server. The server then attempts to initiate a “data channel” connection back to the client on TCP port number 20. FTP client's firewall data channel connection request from the server as unsolicited and drops the packets, causing the file transfer to fail or unable to list remote folders/files for example. Some firewall are smart enough to inspect this type of traffic and allow corresponding data-channel connections but this will not going to happen if we use FTP over SSL/TLS.
To avoid this issue, FTP also supports a “passive” operational mode in which the client initiates the data channel connection. Instead of using the PORT command, the client sends a PASV command on the command channel. The server responds with the TCP port number to which the client should connect to establish the data channel. These TCP port numbers are from higher range tcp 1024 - 65535. In this case what is happen when FTP server resides behind the Firewall/NAT box ?
FTP Client initiate a connection to FTP Server to tcp/21; Sends PASV command; FTP server responds with passive-ftp-port-ranges (5000-5500 for example); FTP Client trying to initiate a data connection to these new ports, and ... fails... because firewall/nat box on FTP server's side unable to find appropriate rules/sessions/flows for this kind of traffic. Once again - some smart firewalls are using technology like traffic inspection (cisco ASA), application layer gateway (Juniper SSG/SRX), nat/protocol helpers (Linux) etc... but they are differ from version-to-version and very often they just don't work as expected.
So the best practice is to manually configure passive port-ranges and create appropriate Firewall/Port-Forwarding rules.
Example for MS IIS 7.5
IS Manager - Connections - Mark server-level node - FTP Firewall Support (in the right panel) -
Data Channel Port Range & External IP Address of Firewall - Apply
Entering External IP Address is highly recommended (ot server level or per FTP site) to avoid errors like "ftp server sent unroutable address" because without this, FTP server will respond with their private IP address in a protocol header and will stun the ftp client.
net stop "Microsoft FTP Service" && net start "Microsoft FTP Service"
in pure-ftpd.conf file:
PassivePortRange 5000 5500
PassivePorts 5000 5500
Enable "smart firewall" feature
CiscoASA9.1(config)# policy-map global_policyCiscoASA9.1(config-pmap)# class inspection_defaultCiscoASA9.1(config-pmap-c)# inspect ftp
Juniper SRX :
set security alg ftp ?
allow-mismatch-ip-address Pass FTP packets with mismatched ip address headers and payload
disable Disable FTP ALG
ftps-extension Enable secure FTP and FTP-ssl protocols
line-break-extension Enable CR+LF line termination
Mikrotik RouterOS 6.38.1
ip firewall service-port set ftp ports=21
Linux kernel 2.4.x and above