Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
471
Views
0
Helpful
1
Replies

CSS & Pix problem with FTP

jaredmiller
Level 1
Level 1

‎04-12-2006 04:50 AM

Hi,

I am testing a CSS 11501 which I have added to my network behind a pix 515 firewall. Using static commands, the pix sends www traffic to one

server and ftp to another. Now that I have introduced the CSS, the pix sends the packets to VIP addresses on the CSS, which in turn sends them

to the intended server, or a sorry server in the evnt of a failure.

The www side is working very well, but I am having trouble with ftp. I am able to connect to the ftp server, but when I try to transfer files from a web application, the pix is dropping the packets and throws error # 406002 (FTP port command different address on interface inside). Here is a snip from the pix log:

305011: Built static TCP translation from inside:192.168.3.4/21 to outside:222.222.222.18/21

302013: Built inbound TCP connection 74 for outside:111.111.111.203/1561 (111.111.111.203/1561) to inside:192.168.3.4/21 (222.222.222.18/21)

406002: FTP port command different address: 192.168.3.4(192.168.1.22) to 111.111.111.203 on interface inside

302014: Teardown TCP connection 74 for outside:111.111.111.203/1561 to inside:192.168.3.4/21 duration 0:00:01 bytes 269 Deny

106015: Deny TCP (no connection) from 111.111.111.203/1561 to 222.222.222.18/21 flags PSH ACK on interface outside

...

111.111.111.203 = Client initiating FTP conn. and transfer

192.168.3.4 = VIP of ftp service on CSS

222.222.222.18 = FTP server

I am pertty new to all of this stuff, but if I read this correctly, the pix does not like the fact that the packets from the FTP server appear

to be coming from another address, which is in this case the VIP address of the ftp service on the CSS. I honestly don'y know if I need to

change the config on the pix or the css...or both for that matter.

Any help is appreciated.

Jared

Labels:
0 Helpful
1 Reply 1

lisa.hall
Level 2
Level 2

‎04-18-2006 08:54 AM

This can happen if the NAT engine that the client is going thru is not NATing the ip add in the data payload as it should and therefore when the client pushes the PORT command, the ip address in data payload does not match what PIX has stored for this Fixup FTP connection and then denies the data connection from this FTP client.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card