06-27-2006
11:02 AM
- last edited on
02-21-2020
11:16 PM
by
cc_security_adm
I've got a PIX 515 v7.2.1 configured as just a firewall (no nat). We are experiencing issues with FTP outbound. We can connect to one FTP site without issues (doesn't matter which, just the first one we connect to). When we attempt to connect to others after this they are disconnected after attempting to connect. If we reboot the pix, we can connect to a different FTP server, but once again no more than 1.
Config:
PIX Version 7.2(1)
!
hostname PIX01
domain-name ????.net
enable password ... encrypted
names
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address 12.x.x.2 255.255.255.192
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address 12.x.x.65 255.255.255.192
!
interface Ethernet2
nameif Antenna
security-level 10
ip address 12.x.x.193 255.255.255.192
!
interface Ethernet3
nameif DMZ
security-level 20
ip address 12.x.x.129 255.255.255.192
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd .... encrypted
no ftp mode passive
dns server-group DefaultDNS
domain-name ???.net
access-list outside_in extended permit icmp any any
access-list outside_in extended permit tcp any host 12.x.x.130 eq www
access-list outside_in extended permit tcp any host 12.x.x.130 eq https
access-list outside_in extended permit tcp any host 12.x.x.130 eq 3389
access-list outside_in extended permit tcp any host 12.x.x.150 eq ftp
access-list outside_in extended permit tcp any host 12.x.x.150 eq ftp-data
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Antenna 1500
mtu DMZ 1500
no failover
asdm image flash:/asdm-521.bin
asdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0
nat (Antenna) 0 0.0.0.0 0.0.0.0
nat (DMZ) 0 0.0.0.0 0.0.0.0
static (DMZ,outside) 12.x.x.128 12.x.x.128 netmask 255.255.255.192
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 12.x.x.64 255.255.255.192 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 12.x.x.64 255.255.255.192 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ftp
!
service-policy global_policy global
prompt hostname context
06-27-2006 12:09 PM
Fixed it. Took out the "inspect ftp" from the policy map. All is well now in ftp land.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide