topic Re: ftp and pix in Network Security

ftp and pix

musumani.woods — Mon, 11 Mar 2019 15:49:28 GMT

I have a pix 515E and I am trying to get the ftp server accessile from the outside.

I already have an ftp server that is working without any problems but the new ftp server is not accessible from the outside.

my access list is:

access-list OUTSIDE1-IN permit tcp any host (public ip) eq ftp

The server is natted as:

static (inside,outside1) (public ip) (inside ip) netmask 255.255.255.255 0 0

The only difference between the two servers is that the working one is in the dmz.

Re: ftp and pix

robertson.michael — Tue, 30 Jun 2009 18:35:01 GMT

Hi Musumani,

What version of software is your PIX running? If it is 7.2(1) or later, take a look at the output of this command:

packet-tracer input outside1 tcp 1.1.1.1 1024 21

Command reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

That should give you a hint as to where the traffic is failing.

If the PIX is running 7.0(1) or later, you might also look at the output of 'show asp drop' for reasons why packets are being dropped.

Command reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s2.html#wp1351326

It might also be worthwhile to setup some captures and see exactly where the connection is failing (i.e. the initial traffic or the return traffic). Here is the command reference for the capture command if you are running 6.2(1) or later:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c1.html#wp2108895

-Mike

Re: ftp and pix

Stuart Hare — Wed, 01 Jul 2009 11:20:22 GMT

Do you have ftp inspection enabled, using either fixup protocols or mpf policies?

fixup protocol ftp

policy-map global_policy

class inspection_default

inspect ftp

(This depends on your code version)

Stu

Re: ftp and pix

musumani.woods — Wed, 01 Jul 2009 16:41:42 GMT

yes I do.

Re: ftp and pix

marchomden — Wed, 01 Jul 2009 17:32:11 GMT

What version are you using on the PIX? If you are trying to do port redirection I don's see port 21 in the Static NAT statement, you might need something like this (v6.3)

static (inside,outside1) tcp (public IP) ftp (inside IP) ftp netmask 255.255.255.255.

However on version 7.2 (I believe) you have to state the name of the outside interface instead of the IP i.e.

static (inside,outside) tcp outside1 ftp (inside IP) ftp netmask 255.255.255.255

This is from memeory but I think it's right, unless I have misunderstood your problem.

I have port redirection on a 515 running v7.2 for OWA and OMA (HTTPS) so if the above doesn't work I can get the config when I have access and post it here if that helps.