04-12-2005 04:46 AM - edited 03-09-2019 10:55 AM
Dear All,
I am using PIX515E and I should have allow both ftp and ftp-date for both incoming and outgoing. However, I can connect to my internal ftp server from outside but couldn't initiate the data transfer. Is there anything I should pay attention to in the PIX configuration ?
04-12-2005 07:56 AM
are thre any access-lists on ur inside interface ?? if so, you ned to permit tcp port 21 from inside to outside...
access-list inside permit tcp 192.168.1.0 255.255.255.0 any eq ftp
access-list inside permit tcp 192.168.1.0 255.255.255.0 any eq ftp-data
fixup protocol ftp 21
try this and let us know...
Raj
04-12-2005 07:57 AM
Hello,
This seems to be a problem with ftp-data port (TCP 20) blocked. Could you post your configs?
Regards,
Mustafa
04-15-2005 09:13 AM
I am having the exact same issue. Pix 515E 6.3(4)
Clients connect and then time out and drop.
Receiving this error message.
Apr 13 2005 11:13:38: %PIX-4-406002: FTP port command different address: 10.1.1.1(X.X.X.X) to X.X.X.X on interface inside
Apr 13 2005 11:13:39: %PIX-6-106015: Deny TCP (no connection) from X.X.X.X/22510 to X.X.X.X/21 flags PSH ACK on interface outside
I've been fighting this issue for a week. I would be very interesting in your solution.
04-18-2005 08:18 PM
Hello, all
It seems to me that you're talking about inbound Passive FTP problems, initial connection made, but cannot list directories; it also seems to me that the internal FTP server is responding on the PORT command with its public IP, instead of with the private one. Check on the server settings... Or get some 'captures' from both the inside and outside interfaces, that would help you determine the causes for that. Assuming that you have something like this:
static (inside,outside) ftp-global-ip ftp-local-ip
OK, so here is an example how to get the captures:
access-list ftp-out permit tcp any host ftp-global-ip
access-list ftp-out permit tcp host ftp-global-ip any
access-list ftp-in permit tcp any host ftp-local-ip
access-list ftp-in permit tcp host ftp-local-ip any
capture capout access-list ftp-out interface outside packet-length 1500
capture capin access-list ftp-in interface inside packet-length 1500
Then try to make the inbound connection to the FTP server. To download the capture from the PIX:
http server enable
http ip-address-host-downloading-capture 255.255.255.255 inside
And go to:
https://inside-interface-ip/capture/capin/Pcap
https://inside-interface-ip/capture/capout/Pcap
Make sure that you save the file with a libcap format (*.cap) so you can open it with any protocol analyzer program, like Ethereal. Must likely you will find the server responding on the port command with its public IP. You will see something like:
PORT (a,b,c,d,FF,FF); where a.b.c.d is the IP address [should be the private one] and FF,FF is used to determine the port number to use for the data channel...
Hope that helps!
Federico Rodriguez
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide