https://community.cisco.com/t5/network-security/nat-and-ftp-problem/m-p/829933#M956237 <HTML><HEAD></HEAD><BODY><P>I don't know why they are still using FTP. It's another college who has the FTP server. Maybe they fear change. I'll try the fixup ftp 1021 command and post the results.</P><P></P><P>Inspect is the new command on the ASA for fixup correct?</P></BODY></HTML> Wed, 30 Jan 2008 13:49:58 GMT randyclark 2008-01-30T13:49:58Z https://community.cisco.com/t5/network-security/nat-and-ftp-problem/m-p/829926#M956223 <P>I have a NATed client trying to FTP to a server on the Internet. The server is blocking the FTP connection becuase it sees the private address of my client. Is there a setting on the firewall to prevent this from happening?</P> Mon, 11 Mar 2019 11:54:30 GMT https://community.cisco.com/t5/network-security/nat-and-ftp-problem/m-p/829926#M956223 randyclark 2019-03-11T11:54:30Z https://community.cisco.com/t5/network-security/nat-and-ftp-problem/m-p/829927#M956225 <HTML><HEAD></HEAD><BODY><P>What is the NATing device. Is this a Pix/ASA Firewall or router. If this is a Pix/ASA, do you have Fixup configured. Can you post your configuration along with details on what is the ip address of the FTP Client and FTP Server.</P><P></P><P>Regards,</P><P>Arul</P><P></P><P>** Please rate all helpful posts **</P></BODY></HTML> Mon, 28 Jan 2008 17:39:38 GMT https://community.cisco.com/t5/network-security/nat-and-ftp-problem/m-p/829927#M956225 ajagadee 2008-01-28T17:39:38Z https://community.cisco.com/t5/network-security/nat-and-ftp-problem/m-p/829928#M956227 <HTML><HEAD></HEAD><BODY><P>The NATing device is an ASA 5520. The client is being NATed. I'm not sure about the server.</P></BODY></HTML> Mon, 28 Jan 2008 18:39:23 GMT https://community.cisco.com/t5/network-security/nat-and-ftp-problem/m-p/829928#M956227 randyclark 2008-01-28T18:39:23Z https://community.cisco.com/t5/network-security/nat-and-ftp-problem/m-p/829929#M956229 <HTML><HEAD></HEAD><BODY><P>make sure you have ftp inspection enabled in your global policy.</P><P>inspect ftp</P><P></P><P>if that doesn't work, please post what happens when you ftp to this server and exactly how it 'fails'.</P></BODY></HTML> Mon, 28 Jan 2008 19:17:00 GMT https://community.cisco.com/t5/network-security/nat-and-ftp-problem/m-p/829929#M956229 srue 2008-01-28T19:17:00Z https://community.cisco.com/t5/network-security/nat-and-ftp-problem/m-p/829930#M956231 <HTML><HEAD></HEAD><BODY><P>As a test, on the ASA do this:</P><P></P><P>fixup ftp protocol 21</P><P>nat (inside) 1 0 0 </P><P>global (outside) 1 interface</P><P></P><P>access-list test permit ip any any log</P><P>access-group test in interface inside</P><P>access-group test in interface outside</P><P></P><P>Now from a host inside the ASA, perform </P><P>a ftp connection. I have an ftp server</P><P>on the Intenet. If you give me your public</P><P>IP address, I can add it to my checkpoint</P><P>security policy so that you can test connecting to it.</P><P></P><P>CCIE Security</P></BODY></HTML> Mon, 28 Jan 2008 19:24:46 GMT https://community.cisco.com/t5/network-security/nat-and-ftp-problem/m-p/829930#M956231 cisco24x7 2008-01-28T19:24:46Z https://community.cisco.com/t5/network-security/nat-and-ftp-problem/m-p/829931#M956233 <HTML><HEAD></HEAD><BODY><P>This is what is happening on the client side. It's not using the standard port 21 but port 1021.</P><P></P><P>connecting to 149.149.15.100:1021</P><P>login</P><P>xxxxxxx</P><P>xxxxxxx</P><P>Host type (S):UNIX (standard)</P><P>PASV</P><P>227 Entering Passive Mode(149,149,15,100,59,23)</P><P>connecting to 149.149.15.100:15127</P><P>--</P><P>!Conntection failed 149.149.15.100-connection refused</P><P>!connect error 0</P><P>PORT 172,20,46,74,7,132</P><P>500| I won't open a connection to 172.20.46.74(only to 198.146.198.101)</P><P>!Failed "port"</P><P></P><P></P></BODY></HTML> Mon, 28 Jan 2008 21:14:33 GMT https://community.cisco.com/t5/network-security/nat-and-ftp-problem/m-p/829931#M956233 randyclark 2008-01-28T21:14:33Z https://community.cisco.com/t5/network-security/nat-and-ftp-problem/m-p/829932#M956235 <HTML><HEAD></HEAD><BODY><P>fixup protocol ftp 1021</P><P></P><P>As a security person, I am very suprised that</P><P>people still use FTP these days. Not only</P><P>the protocol is insecure, you will run into</P><P>issues like this. </P><P></P><P>I noticed that ftp server box is a Unix box.</P><P>If that is the case, why not use SecureFTP </P><P>(sFTP). sFTP is a component of sshd daemon</P><P>which is very secure. You can configure</P><P>it to run at AES256-cbc with sha-1 and allow</P><P>ssh outbound access. Everything will be ok </P><P>after that.</P><P></P><P>This is 2008, not 1998. FTP and TFTP should</P><P>be banned due to its inherent weak security by nature. TFTP should be replaced by Secure</P><P>Copy (scp).</P><P></P><P>CCIE Security</P></BODY></HTML> Mon, 28 Jan 2008 22:28:29 GMT https://community.cisco.com/t5/network-security/nat-and-ftp-problem/m-p/829932#M956235 cisco24x7 2008-01-28T22:28:29Z https://community.cisco.com/t5/network-security/nat-and-ftp-problem/m-p/829933#M956237 <HTML><HEAD></HEAD><BODY><P>I don't know why they are still using FTP. It's another college who has the FTP server. Maybe they fear change. I'll try the fixup ftp 1021 command and post the results.</P><P></P><P>Inspect is the new command on the ASA for fixup correct?</P></BODY></HTML> Wed, 30 Jan 2008 13:49:58 GMT https://community.cisco.com/t5/network-security/nat-and-ftp-problem/m-p/829933#M956237 randyclark 2008-01-30T13:49:58Z