Do you use NAT ? NAT might cause this problem .

Do you try to use fixup command yet?

FTP is a wierd animal when it comes to Cisco ACL or PIX

Normally you would do:

access-list acl1 permit tcp any host FTPSERVER eq ftp

however to get it to work you need to change the order of the command so it looks like this:

access-list acl1 permit tcp any eq ftp host FTPSERVER

The same applies to SNMP and probably other things. A Cisco engineer tried to explain it to me but I don't think he understood it either. If anyone out there can explain then please - give it a go.

I don't know What your set up looks like but take this for example.

Your ftp server is on the dmz intf with ip 10.10.20.11

You have a network on the inside interface of your Pix. The net is 10.20.10.0 /24. You want everyone on that net to be able to use the ftp server.

Provided that all preliminary configs are working fine, here is what your config should look like.

configure an access-list that you will apply to nat (0) so that traffic between the two segments does not get natted.

access-list 100 permit ip 10.20.10.0 255.255.255.0 10.10.20.11 255.255.255.255

apply this to nat (0):

nat (inside) 0 access-list 100

Now you will configure a conduit to allow bi-directional communicatiion between the two segment:

conduit permit tcp 10.20.10.0 255.255.255.0 host 10.10.20.11 eq ftp

If communication is to be initiated from the lower security interface to the higher one, you need the conduit. In the case of ftp, the server will probably initiate communication from port 20 to the client on the inside intf. If there is no conduit line in the config, those packets will be dropped because by default you cannot initiate communication from a lower priority intf to a higher one. Sorry for being so long winded.

It's me again.

If all your clients are comming from outside or any intf with a lower security than the dmz, you still need a conduit command to allow the clients in.

in this case: conduit permit tcp host [the server's IP] eq ftp any

gilles