01-07-2008 01:39 PM - edited 03-11-2019 04:44 AM
I'm having trouble opening a passive FTP connection between two hosts, both of which are behind firewalls and NAT'd. The FTP inspection on my end is properly inspecting the FTP traffic and is therefore seeing the "REAL" IP address as a result of the passive mode request. I believe that the firewall is therefore dropping the request because the address is different, (not the NAT Address). I can't turn off FTP Inspection because it would kill the ability to create active FTP sessions.
Is there a way to make a custom FTP Inspection rule that would allow a passive mode connection. Both hosts are behind Cisco Devices, is there some fix or workaround for this problem. BTW the warning message is:
33406002FTP port command different address: 100.100.200.5(100.100.100.1) to 10.0.8.139 on interface outside
I changed the IP's to protect the "not so innocent".
Thanks
01-11-2008 02:30 PM
With passive ftp the client should specify the port to be used. Make sure that the FWSM has both "ftp mode passive" and "fixup protocol ftp 21" in the config. Following links may help you
http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/command/reference/ef.html#wp1587433
01-14-2008 09:05 AM
Thanks, I understand what is supposed to happen during a passive FTP session. The problem appears to be that his firewall is not properly inspecting the FTP packet. He does have the global policy enabled, but for whatever reason his NAT device, which I have been told is a Cisco Firewall, is not re-writing the data portion of the 227 response. His box is replying with the non public IP address and my firewall is dropping the connection because it sees the connection as an FTP session hijack.
BTW the "FTP mode passive" command is only applicable to ftp sessions to the FWSM itself for the purpose of upgrading code or loading configuration files. It has no relevance to "external" FTP operations. The "fixup" commands have been replaced using policy statements.
Thanks for the reply.
03-03-2016 12:43 AM
I have the sam problem with FWSM and FTP. Did you manage to solve this?
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide