PIX

jkh_tt · ‎02-24-2004

Hi ppl,

I am trying to ftp from a LAN behind a firewall to our HQ which is running a PIX 5.1. We have created an acl to allow my source ip (1.1.1.1)to the ftp server (2.2.2.2). But i got connection timed out. My syslog only shown the following

<87>Feb 22 2004 12:32:46: %PIX-4-106019: IP packet from 1.1.1.1 to 2.2.2.2, protocol 17 received from interface "outside" deny by access-group "ACL_in"

I understand that protocol 17 is used by UDP, but what cause my ftp to become a UDP protocol? fixup protocol 21 was configured. Could NAT or PAT causes the problem?

advises needed, thank you!

jmia · ‎02-24-2004

Hi,

This error is logged when you have a deny ACL statement applied to the relevant interface i.e. your outside interface, check your ACL's that are applied on the outside interface.

Thanks - Jay

jkh_tt · ‎02-24-2004

thanks Jay, our ACL only allow port 80 and ftp. BUt not UDP. My query is that i was connecting using ftp from one site behind a firewall to our HQ which is running PIX. BUt on the PIX syslog, the only traffic that i can see from this source address to the ftp server is only protocol 17 (UDP) instead of what i am expecting (ftp 21)? Will NAT or PAT cause the problem?

THanks!!! :)

sateeshk · ‎02-26-2004

hi

Pls check this things

1) Do have any acl applied on inside interface(for testing)

2) Apply the acl u used as on outside interface direction out in acl group.

3) telnet 2.2.2.2 21

Thanks

sat