Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
423
Views
0
Helpful
1
Replies

PIX 515 and outbound FTP issues

matt.slaga
Level 4
Level 4

‎06-27-2006 11:02 AM - last edited on ‎02-21-2020 11:16 PM by Community Manager

I've got a PIX 515 v7.2.1 configured as just a firewall (no nat). We are experiencing issues with FTP outbound. We can connect to one FTP site without issues (doesn't matter which, just the first one we connect to). When we attempt to connect to others after this they are disconnected after attempting to connect. If we reboot the pix, we can connect to a different FTP server, but once again no more than 1.

Config:

PIX Version 7.2(1)

!

hostname PIX01

domain-name ????.net

enable password ... encrypted

names

dns-guard

!

interface Ethernet0

nameif outside

security-level 0

ip address 12.x.x.2 255.255.255.192

!

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 12.x.x.65 255.255.255.192

!

interface Ethernet2

nameif Antenna

security-level 10

ip address 12.x.x.193 255.255.255.192

!

interface Ethernet3

nameif DMZ

security-level 20

ip address 12.x.x.129 255.255.255.192

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

passwd .... encrypted

no ftp mode passive

dns server-group DefaultDNS

domain-name ???.net

access-list outside_in extended permit icmp any any

access-list outside_in extended permit tcp any host 12.x.x.130 eq www

access-list outside_in extended permit tcp any host 12.x.x.130 eq https

access-list outside_in extended permit tcp any host 12.x.x.130 eq 3389

access-list outside_in extended permit tcp any host 12.x.x.150 eq ftp

access-list outside_in extended permit tcp any host 12.x.x.150 eq ftp-data

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu Antenna 1500

mtu DMZ 1500

no failover

asdm image flash:/asdm-521.bin

asdm history enable

arp timeout 14400

nat (inside) 0 0.0.0.0 0.0.0.0

nat (Antenna) 0 0.0.0.0 0.0.0.0

nat (DMZ) 0 0.0.0.0 0.0.0.0

static (DMZ,outside) 12.x.x.128 12.x.x.128 netmask 255.255.255.192

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 12.x.x.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 12.x.x.64 255.255.255.192 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 12.x.x.64 255.255.255.192 inside

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ftp

!

service-policy global_policy global

prompt hostname context

0 Helpful
1 Reply 1

matt.slaga
Level 4
Level 4

‎06-27-2006 12:09 PM

Fixed it. Took out the "inspect ftp" from the policy map. All is well now in ftp land.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card