Re: Expert pls come

morganstanleylau · ‎04-02-2005

Hi all,

I have encountered a problem on PIX when using Web browser to access the FTP server.

On the log, it stated something like Deny MyIP/Some port to MyFTP/21 flag PSH ACK

Any one can help? Thanks.

Patrick Iseli · ‎04-03-2005

Have you seen this document:

Poor or Intermittent FTP/HTTP Performance Through a PIX

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094459.shtml

sincerely

Patrick

morganstanleylau · ‎04-03-2005

Hi Patrick,

Thx for your advise!

But what is the security risk for open port 113?

or is it my network using dual NAT problem?Because my network using PIX and W2k Router , is that any issue? pls advise.

Stanley

morganstanleylau · ‎04-05-2005

Hi Patrick ,

I have found that when i try to using third party

ftp client software to outside connect my inside ftp server , i found that using passive mode in client side didn't work , but try to active is work , in passive mode log , i check that in "PASV" this command timeout , i think is passive mode problem , and than in my PIX remove :

no fixup ftp 21

Also the error message is timeout , how can i solve in my PIX? pls advise.

Stanley

Patrick Iseli · ‎04-05-2005

Have you opened also the tcp port 20 (ftp-data) in the outside access-list ?

example:

fixup protocol ftp 21

access-list acl_outside permit tcp any host FTP-Public eq 21

access-list acl_outside permit tcp any host FTP-Public eq 20

access-group acl_outside in interface outside

static (dmz,outside) FTP-Public FTP-DMZ netmask 255.255.255.255

What PIX OS version are you using? It is sure that the PIX OS 7.0 will solve some FTP issues with NAT/PAT environements.

sincerely

Patrick

morganstanleylau · ‎04-06-2005

Hi Patrick

I have tried your recommended access-list put my PIX, but same error

My PIX version 6.3 and model 515E