09-11-2002 12:34 PM - edited 02-20-2020 10:14 PM
Friends,
I have the following config:
PIX 525 (5.3)
fixup protocol ftp 21
static (inside,outside) publicIP privateIP netmask 255.255.255.255 0 0
conduit permit tcp host publicIP eq ftp any
conduit permit tcp host publicIP eq ftp-data any
I think those are all the pertinent commands. My problem is this: I can connect to te FTP server. I can log in to the FTP server. As soon as I issue a command to the server, such as LS or DIR or SEND or PUT, I get no resp[onse back to my FTP client session. I have executed a SEND and the file name gets created but no actual data is transferred and the session sits indefinitely until I cancel it. All works as it should behind the firewall.
Any help would be appreciated.
Thanx
Karl
09-11-2002 09:37 PM
remove the conduit permit for ftp-data, as the fixup ftp takes care of this.
try changing to passive mode at the user end. this is normally done with the "passive" command in non-GUI ftp clients.
09-12-2002 07:50 AM
I tried first without the conduit for ftp-data. It doesn't work with it or without it.
I turned on debug from my microsoft ftp client.
I set passive mode then tried a list command.
It came back and set it could not open a data connection.
See below:
ftp> debug
Debugging On.
ftp> literal pasv
---> pasv
227 Entering Passive Mode (xxx,xxx,xxx,xxx,16,34).
ftp> literal list
---> list
425 Can't open data connection.
ftp>
09-13-2002 08:22 AM
I am considering replacing all of my conduit statements with access lists in an effort to see if that will allow this to work.
Any comments?
I also read in another thread that the ftp server needed to initiate a connectiopn to the client. If so, isn't that allowed by PAT or NAT or whatever it is that allows all my users to go outside the firewall? Do I possibly need to set up an explicit path from the server in question to the outside?
HELP...
Again, any and all comments will be appreciated.
Karl
09-19-2002 04:07 PM
I am having the same problem on a PIX 515 and am using access-lists. I thought the problem was with my static nat statement. When the problem was brought to my attention, I had a straight one to one static nat statement.
static (inside,outside) outside ip inside ip
I changed the static command to use the tcp and port assignment
static (inside,outside) tcp outside ip ftp inside ftp
and it started working, since this time it has stopped again. The same symptoms; can login but can do a dir or ls command.
Any thoughts as to what is going on?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide