ftp outbound on meraki mx

Here to help

ftp outbound on meraki mx


I replaced old cisco pix 520 with a meraki 400. Some firewall rules that worked correctly before now have problems.
For example, a firewall rule that allows some internal ip access in ftp to some external servers does not work properly. to have no problems I had to give access to all the ports (any). I thought that the problems related to ftp are only in inbound rules. What other ports should be opened to correctly use outbound ftp?



7 Replies 7
Kind of a big deal

You should not have to explicitly allow anything outbound.


Have you seen this?




- Ex community all-star (⌐⊙_⊙)


Maybe I didn't explain myself. I need to create an outbond rule that allows some internal ip to connect to some ftp servers but not use any other outgoing protocol.



Annotazione 2019-11-06 232624.jpg


the problem that opening only the ftp port 21 does not work.




Kind of a big deal

Are you connecting to active or passive FTP servers? If you're not sure, you need both 20 and 21.


Just to check, you're using regular FTP and not SFTP? Because if SFTP, you'll need 22 as well.

Kind of a big deal
Kind of a big deal

If you are connecting to a passive mode FTP server:

  • The client connects out on port 21.
  • The client sends a PASV command and the server responds with a port on its side.
  • The client connects out on the returned port from a random port.

If you are connecting to an active mode server:

  • The client connects out on port 21.
  • The client sends a "port" command to say it is listening on a specific port for data.
  • The server then connects back to the client from its port 20 to the port the client specified


The MX NAT will correctly fix up NAT for active mode connections to allow the return traffic.  Passive mode does not require any fixups.

The MX wont correct any outbound firewall rules you have created to explicitly block traffic.



If you create a default "deny all" rule limiting outbound traffic then you'll probably want to create a simple "permit ip any host x.x.x.x" style rule to the specific FTP server the users need to connect to.


Hi, thank for answer.

First consideration puzzles me that a 15-year-old device has features (ftp fixup, object group) that do not exist on a current product.
For the problem in question if instead of deny any any I put a deny of the different subnets to any fixup is applied?

Best regards

Not to hijack a thread, but every other security appliance I have ever administered, will open the ports received in the PASV command coming from the FTP/SFTP server.  Most also have an implicit deny at the end of all access lists.  Meraki has an implicit allow, therefore requiring a deny any any rule to be created.  Otherwise the MX devices are nothing more than a router.  How do we go about requesting that this be added as a feature.  I feel confident if we as a company knew this was the way these appliances behaved from a security perspective, we would have chosen a different vendor.    

Meraki Employee
Meraki Employee

SFTP is all tunneled over SSH, which removes the need for such NAT hacks. Past experience has dictated that any sort of NAT considerations for FTP aren't likely to be implemented given that FTP is a cleartext protocol that transmits usernames and passwords unprotected.


As for the the firewall rules, "implicit" implies that it's an unspecified behavior, which is not the case. Yes, there's a default allow rule, but it's very much explicit.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.