cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1102
Views
0
Helpful
4
Replies

Accessing an FTP server inside my PIX 525

stippick
Level 1
Level 1

Friends,

I have the following config:

PIX 525 (5.3)

fixup protocol ftp 21

static (inside,outside) publicIP privateIP netmask 255.255.255.255 0 0

conduit permit tcp host publicIP eq ftp any

conduit permit tcp host publicIP eq ftp-data any

I think those are all the pertinent commands. My problem is this: I can connect to te FTP server. I can log in to the FTP server. As soon as I issue a command to the server, such as LS or DIR or SEND or PUT, I get no resp[onse back to my FTP client session. I have executed a SEND and the file name gets created but no actual data is transferred and the session sits indefinitely until I cancel it. All works as it should behind the firewall.

Any help would be appreciated.

Thanx

Karl

4 Replies 4

pgolding
Level 1
Level 1

remove the conduit permit for ftp-data, as the fixup ftp takes care of this.

try changing to passive mode at the user end. this is normally done with the "passive" command in non-GUI ftp clients.

I tried first without the conduit for ftp-data. It doesn't work with it or without it.

I turned on debug from my microsoft ftp client.

I set passive mode then tried a list command.

It came back and set it could not open a data connection.

See below:

ftp> debug

Debugging On.

ftp> literal pasv

---> pasv

227 Entering Passive Mode (xxx,xxx,xxx,xxx,16,34).

ftp> literal list

---> list

425 Can't open data connection.

ftp>

stippick
Level 1
Level 1

I am considering replacing all of my conduit statements with access lists in an effort to see if that will allow this to work.

Any comments?

I also read in another thread that the ftp server needed to initiate a connectiopn to the client. If so, isn't that allowed by PAT or NAT or whatever it is that allows all my users to go outside the firewall? Do I possibly need to set up an explicit path from the server in question to the outside?

HELP...

Again, any and all comments will be appreciated.

Karl

I am having the same problem on a PIX 515 and am using access-lists. I thought the problem was with my static nat statement. When the problem was brought to my attention, I had a straight one to one static nat statement.

static (inside,outside) outside ip inside ip

I changed the static command to use the tcp and port assignment

static (inside,outside) tcp outside ip ftp inside ftp

and it started working, since this time it has stopped again. The same symptoms; can login but can do a dir or ls command.

Any thoughts as to what is going on?

Review Cisco Networking for a $25 gift card