Sorry, but I didn't understand how the Pix permit passive ftp.

I have 2 sites, each of them with a pix and "fixup protocol ftp 21" enabled, but only active ftp work without open ports > 1024 on the pix protecting the server ftp.

Since th e2 sites are under my control the security issues are not so important, but now I have to publish the ftp service to outside world (internet), with both active/standard and passive ftp connections.

I read many Cisco CCO documents about fixup and passive ftp but they specified in details only the cases with fix disabled.

I don't understand if fixup open the ftp-data ports only for the standard port #20, so it can't never work with the passive ftp connection schema.

many thanks

Roberto Grassi

I have the following for configuration and both active and passive FTP works just fine.

fixup protocol ftp 21

access-list 100 permit tcp any host eq ftp

access-list 100 permit tcp any host eq ftp-data

I know this works as I have some "legacy" ftp clients that use passive ftp to send/retrieve data.

-Cheers

I have the same configuration but doesn't work.

Your access-list 100 is applied in inbound on the outside if or in outbound?

For us the problem is to receive passive ftp connection from outside. The logging output of the firewall tell "deny tcp .... by access-list out2in"

It seem the fixup work only for outbound connection and not the the inbound ones.

The router behind the firewall permit any ip from outside to the public IP of the internal ftp server.

On the PIX there is a static one-to-one NAT, not a PAT.

Can you confirm your configuration works fine?

Many thanks

Roberto

Do this: (this works for me)

fixup protocol ftp 21

access-list 100 permit tcp any host eq ftp

access-list 100 permit tcp any host eq ftp-data

access-group 100 in interface outside

static (inside,outside) netmask 255.255.255.255 0 0

****

So it is an ACL applied on the outside interface, facing the public Internet, "inbound"...i.e. "in interface outside".

I am not doing PAT and no Global pool. Simple one to one nat on the pix, thats it.

This configuration works fine. I know this as I have some "legacy" FTP clients with mainframes using passive FTP.

Let me know how you make out.

-Chris

I'm going crazy with the same configurations my pix does not work,

and according the messages from the pix (at bottom), it is a local

pix trouble.

I'm running a 6.3(4) with the following conf:

fixup protocol ftp 21

access-list out2in line 1 permit tcp any host x.x.x.228 eq www (hitcnt=87)

access-list out2in line 2 permit tcp any host x.x.x.229 eq ftp (hitcnt=12)

access-list out2in line 3 permit tcp any host x.x.x.229 eq ftp-data (hitcnt=0)

access-group out2in in interface outside

static (inside,outside) tcp x.x.x.228 www 192.168.10.202 www netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.229 192.168.10.32 netmask 255.255.255.255 0 0

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.10.0 255.255.255.0 0 0

global (outside) 1 interface

! outside interface ip address is x.x.x.228

When I try to retrive a file o a directory listing, on logging monitor I got

errors like this:

106023: Deny tcp src outside:/2063 dst inside:x.x.x.229/54307 by access-group "out2in"

I tried also the "fix protocol ftp 21 strict" and without "fixup protocol ftp" and I still can connect to the server although the reference manual tell that without fixup protocol inbound ftp requested are denied

Also note that line 3 of access-list out2in did not increment the counter, although I change from passive to active for testing, and with the active mode listing run fine. Infact without line 3 the active mode run well and the connection from the client to the port no. 20 of the server is correctly opened from fixup protocol.

Many thanks for any other idea.

Roberto

Looks like the acl is blocking tcp ports gt than 1024.

sorry, we have discover that an upstream router (ISP side) had acl we were unaware of that did not permit the traffic above port 1024.

thanks to all

Roberto