topic Re: Accessing an FTP server inside my PIX 525 in Network Security

Accessing an FTP server inside my PIX 525

stippick — Fri, 21 Feb 2020 06:14:35 GMT

Friends,

I have the following config:

PIX 525 (5.3)

fixup protocol ftp 21

static (inside,outside) publicIP privateIP netmask 255.255.255.255 0 0

conduit permit tcp host publicIP eq ftp any

conduit permit tcp host publicIP eq ftp-data any

I think those are all the pertinent commands. My problem is this: I can connect to te FTP server. I can log in to the FTP server. As soon as I issue a command to the server, such as LS or DIR or SEND or PUT, I get no resp[onse back to my FTP client session. I have executed a SEND and the file name gets created but no actual data is transferred and the session sits indefinitely until I cancel it. All works as it should behind the firewall.

Any help would be appreciated.

Thanx

Karl

Re: Accessing an FTP server inside my PIX 525

pgolding — Thu, 12 Sep 2002 04:37:09 GMT

remove the conduit permit for ftp-data, as the fixup ftp takes care of this.

try changing to passive mode at the user end. this is normally done with the "passive" command in non-GUI ftp clients.

Re: Accessing an FTP server inside my PIX 525

stippick — Thu, 12 Sep 2002 14:50:17 GMT

I tried first without the conduit for ftp-data. It doesn't work with it or without it.

I turned on debug from my microsoft ftp client.

I set passive mode then tried a list command.

It came back and set it could not open a data connection.

See below:

ftp> debug

Debugging On.

ftp> literal pasv

---> pasv

227 Entering Passive Mode (xxx,xxx,xxx,xxx,16,34).

ftp> literal list

---> list

425 Can't open data connection.

ftp>

Re: Accessing an FTP server inside my PIX 525

stippick — Fri, 13 Sep 2002 15:22:39 GMT

I am considering replacing all of my conduit statements with access lists in an effort to see if that will allow this to work.

Any comments?

I also read in another thread that the ftp server needed to initiate a connectiopn to the client. If so, isn't that allowed by PAT or NAT or whatever it is that allows all my users to go outside the firewall? Do I possibly need to set up an explicit path from the server in question to the outside?

HELP...

Again, any and all comments will be appreciated.

Karl

Re: Accessing an FTP server inside my PIX 525

gguhin — Thu, 19 Sep 2002 23:07:16 GMT

I am having the same problem on a PIX 515 and am using access-lists. I thought the problem was with my static nat statement. When the problem was brought to my attention, I had a straight one to one static nat statement.

static (inside,outside) outside ip inside ip

I changed the static command to use the tcp and port assignment

static (inside,outside) tcp outside ip ftp inside ftp

and it started working, since this time it has stopped again. The same symptoms; can login but can do a dir or ls command.

Any thoughts as to what is going on?