Re: FTP not working thru PIX

jkampmeyer · ‎12-17-2003

Trying to FTP from inside to outside. It works with nat 0 but when I use a static mapping from a.b.c.148(inside address) to a.b.c.120(outside address) it will not work. They are in different subnets.

The PIX seems to just ignore the packet. There is no error message or denies!

fixup protocol ftp strict 21 (also tried with fixup protocol ftp 21)

global (outside) 1 192.1.3.32 netmask 255.255.255.224

nat (inside) 0 192.1.3.128 255.255.255.224 0 0

static (inside,outside) 192.1.3.117 Workstation1 netmask 255.255.255.255 0 0

static (inside,outside) 192.1.3.118 Workstation2 netmask 255.255.255.255 0 0

static (inside,outside) 192.1.3.119 Workstation3 netmask 255.255.255.255 0 0

static (inside,outside) 192.1.3.120 Workstation4 netmask 255.255.255.255 0 0

Connections to external ftp server (SYN timeout)

106100: access-list from-noc-lan permitted tcp inside/192.1.3.148(1531) -> outsi

de/199.1.1.200(21) hit-cnt 1 (first hit)

302013: Built outbound TCP connection 7595411 for outside:199.1.1.200/21 (199.1.

1.200/21) to inside:192.1.3.148/1531 (192.1.3.120/1531)

710005: UDP request discarded from 192.1.3.135/138 to inside:192.1.3.159/netbios

-dgm

302014: Teardown TCP connection 7595409 for outside:199.1.1.200/21 to inside:192

.1.3.148/1530 duration 0:02:01 bytes 0 SYN Timeout

Any ideas?

mpalardy · ‎12-18-2003

Do a "show xlate local ip-workstation". You might need to execute a clear xlate for your inside hosts.

Also I'm missing the reason why you use a "global (outside) 1...". Do you also use have a "nat (inside) 1..." ?

Finally, what was the log looked before you use a static maping?

sbosen67 · ‎12-29-2003

I have the same problem. I tried adding service resetinbound and established permitto 113 as cisco's docs suggested.