https://community.cisco.com/t5/network-security/pix-firewall-and-passive-ftp/m-p/92325#M623899 <HTML><HEAD></HEAD><BODY><P>No, I haven't tried the range of ports. Just 21. I'll do that and see what happens.</P><P></P><P>I have found out some other information. In going through my logs I have this:</P><P></P><P>8:08:02am %PIX-6-302001: Built outbound TCP connection xxxxxx for faddr a.b.c.d/80 gaddr <EXTERNAL static="" ip="" of="" system="" in="" question=""></EXTERNAL></P><P>8:08:02am %PIX-5-304001: <INSIDE ip="" address=""> Accessed URL a.b.c.d:/filename.cab</INSIDE></P><P>8:08:02am %PIX-6-302002: Teardown TCP connection xxxxx faddr a.b.c.d/80 gaddr <EXTERNAL statc="" ip="" of="" system="" in="" question=""></EXTERNAL></P><P>8:08:02am %PIX-5-106015: Deny TCP (no connection) from a.b.c.d/80 to <INSIDE ip="" address=""> flags PSH ACK</INSIDE></P><P></P><P>It looks like the PIX tears down the connection before I'm finished. Any reason why? Is there a timeout issue going on? This has been working for a few months now. I had to turn off our PIX's to move them to a new location, and then brought them back up. The contents of the memory were saved. I'm having the hardest time trying to figure this out.</P><P></P></BODY></HTML> Fri, 06 Sep 2002 19:30:09 GMT apaxson 2002-09-06T19:30:09Z https://community.cisco.com/t5/network-security/pix-firewall-and-passive-ftp/m-p/92322#M623896 <P>How can I use passive FTP through the Pix Firewall?? I've tried everything to get this to work. I've tried using established commands. I've tried using conduit commands enabling all the high ports back to the originating host (1024-65535). Nothing is working.</P><P></P><P>However, once I do "no fixup protocol ftp" it works just fine. However, our other FTP operations fail when I do this. Is there any way I can get these two functions to work through our PIX?</P><P></P><P>Huge thanks in advance. My company is very dependant on these services.</P><P></P><P>Aaron Paxson</P><P>IT Systems Analyst </P><P>Decorative Concepts</P> Fri, 21 Feb 2020 06:13:51 GMT https://community.cisco.com/t5/network-security/pix-firewall-and-passive-ftp/m-p/92322#M623896 apaxson 2020-02-21T06:13:51Z https://community.cisco.com/t5/network-security/pix-firewall-and-passive-ftp/m-p/92323#M623897 <HTML><HEAD></HEAD><BODY><P>Anyone have any ideas??</P></BODY></HTML> Fri, 06 Sep 2002 15:28:17 GMT https://community.cisco.com/t5/network-security/pix-firewall-and-passive-ftp/m-p/92323#M623897 apaxson 2002-09-06T15:28:17Z https://community.cisco.com/t5/network-security/pix-firewall-and-passive-ftp/m-p/92324#M623898 <HTML><HEAD></HEAD><BODY><P>Hi, have you tried a range of ports for fixup to inspect? Something like......</P><P>fixup protocol ftp 21-65535</P><P></P><P>I'm not sure if this will inspect all traffic leaving on those ports though.</P><P></P><P>Anyone else?</P></BODY></HTML> Fri, 06 Sep 2002 17:47:16 GMT https://community.cisco.com/t5/network-security/pix-firewall-and-passive-ftp/m-p/92324#M623898 mike-greene 2002-09-06T17:47:16Z https://community.cisco.com/t5/network-security/pix-firewall-and-passive-ftp/m-p/92325#M623899 <HTML><HEAD></HEAD><BODY><P>No, I haven't tried the range of ports. Just 21. I'll do that and see what happens.</P><P></P><P>I have found out some other information. In going through my logs I have this:</P><P></P><P>8:08:02am %PIX-6-302001: Built outbound TCP connection xxxxxx for faddr a.b.c.d/80 gaddr <EXTERNAL static="" ip="" of="" system="" in="" question=""></EXTERNAL></P><P>8:08:02am %PIX-5-304001: <INSIDE ip="" address=""> Accessed URL a.b.c.d:/filename.cab</INSIDE></P><P>8:08:02am %PIX-6-302002: Teardown TCP connection xxxxx faddr a.b.c.d/80 gaddr <EXTERNAL statc="" ip="" of="" system="" in="" question=""></EXTERNAL></P><P>8:08:02am %PIX-5-106015: Deny TCP (no connection) from a.b.c.d/80 to <INSIDE ip="" address=""> flags PSH ACK</INSIDE></P><P></P><P>It looks like the PIX tears down the connection before I'm finished. Any reason why? Is there a timeout issue going on? This has been working for a few months now. I had to turn off our PIX's to move them to a new location, and then brought them back up. The contents of the memory were saved. I'm having the hardest time trying to figure this out.</P><P></P></BODY></HTML> Fri, 06 Sep 2002 19:30:09 GMT https://community.cisco.com/t5/network-security/pix-firewall-and-passive-ftp/m-p/92325#M623899 apaxson 2002-09-06T19:30:09Z https://community.cisco.com/t5/network-security/pix-firewall-and-passive-ftp/m-p/92326#M623900 <HTML><HEAD></HEAD><BODY><P>When you do the no ftp fixup ptotocol, you are disabling the ftp server to open the ftp data connection to the client to establish the data connections. If you want both port mode and passive mode to work at the same time. add an access list that specifically allow the ftp servers to open data connection from port 21 to the clients, good luck.</P></BODY></HTML> Sun, 08 Sep 2002 06:07:41 GMT https://community.cisco.com/t5/network-security/pix-firewall-and-passive-ftp/m-p/92326#M623900 6a.araishy 2002-09-08T06:07:41Z https://community.cisco.com/t5/network-security/pix-firewall-and-passive-ftp/m-p/92327#M623901 <HTML><HEAD></HEAD><BODY><P>Thank you very much for your response! That makes alot of sense. Would I also use a conduit command opening up the port back through the firewall, or would I just need an access-list? I have one access-list applied to my inside interface, and use conduit commands to come back through the firewall into my private network.</P><P></P><P>Thanks for the response!</P><P>Aaron</P></BODY></HTML> Mon, 09 Sep 2002 16:30:40 GMT https://community.cisco.com/t5/network-security/pix-firewall-and-passive-ftp/m-p/92327#M623901 apaxson 2002-09-09T16:30:40Z