04-02-2005 04:45 AM - edited 03-09-2019 10:49 AM
Hi all,
I have encountered a problem on PIX when using Web browser to access the FTP server.
On the log, it stated something like Deny MyIP/Some port to MyFTP/21 flag PSH ACK
Any one can help? Thanks.
04-03-2005 07:59 AM
Have you seen this document:
Poor or Intermittent FTP/HTTP Performance Through a PIX
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094459.shtml
sincerely
Patrick
04-03-2005 07:21 PM
Hi Patrick,
Thx for your advise!
But what is the security risk for open port 113?
or is it my network using dual NAT problem?Because my network using PIX and W2k Router , is that any issue? pls advise.
Stanley
04-05-2005 09:30 AM
Hi Patrick ,
I have found that when i try to using third party
ftp client software to outside connect my inside ftp server , i found that using passive mode in client side didn't work , but try to active is work , in passive mode log , i check that in "PASV" this command timeout , i think is passive mode problem , and than in my PIX remove :
no fixup ftp 21
Also the error message is timeout , how can i solve in my PIX? pls advise.
Stanley
04-05-2005 12:06 PM
Have you opened also the tcp port 20 (ftp-data) in the outside access-list ?
example:
fixup protocol ftp 21
access-list acl_outside permit tcp any host FTP-Public eq 21
access-list acl_outside permit tcp any host FTP-Public eq 20
access-group acl_outside in interface outside
static (dmz,outside) FTP-Public FTP-DMZ netmask 255.255.255.255
What PIX OS version are you using? It is sure that the PIX OS 7.0 will solve some FTP issues with NAT/PAT environements.
sincerely
Patrick
04-06-2005 08:46 AM
Hi Patrick
I have tried your recommended access-list put my PIX, but same error
My PIX version 6.3 and model 515E
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide