Several advanced protocols, including FTP, cause problems when trying to traverse across the PIX firewall. The problems arise when traffic on the outside client or server wants to send traffic to the inside, higher-security interfaces; this traffic is often unsolicited from the perspective of standard ASA. Normally, traffic flow is in response to a client's request and returns on the same source port on which the client request was sent. The ASA sees this normal request and opens a connection slot for the return traffic. Some advanced protocols respond or send data to the client on port numbers other than the ports in the source header, and this causes a problem for the normal ASA engine.
For example, if Jack is trying to download information from an FTP site using standard mode, he notifies the FTP server that his port ”for example, 3002 ”is available to receive the data. The requested port 3002 is not in the normal source port header location but in the data portion of the packet. Because the ASA normally monitors the source port header and not the data portion, the connection slot is not made. As the FTP server starts to send data to Jack's port (3002), the PIX drops the packets because ASA never created a connection slot for the returning traffic.