PIX 506 2 questions in 1 need FTP help

What would the ACL look like to get FTP to work through my PIX on a different port then 20/21?  Second question is we have a PIX at our St.Louis office and here we have VPN's between us but if I reload my firewall(reboot,power it off) it's like the VPN doesn't reconnect any suggestions how to fix?
tiger1477Asked:
Who is Participating?
 
lrmooreConnect With a Mentor Commented:
Love it when a plan comes together!
0
 
lrmooreCommented:
first question, use:
no fixup protocol ftp 21
fixup protocol ftp [port]

How long does it take to get the VPN re-established after a reload, and do you have to do anything special?
0
 
tiger1477Author Commented:
I also want to be able to keep the standard ports open...it took about 3 hours for the firewalls to trade keys and re-establish a connection.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
lrmooreCommented:
You can also keep the standard ports and have two fixup lines.

I would suggest running debug ipsec to see what's happening with the tunnels. What is the lifetime of your SA? It may be set too high. If you post your config, I might be able to see something.
0
 
tiger1477Author Commented:
SA is 4608000KB and 8 hours.  I can just do a fixup protocol ftp[port] and add the port I want to use and I will be able to use both 21 and my port?  I am leaving for the weekend but will follow up with you on monday.
0
 
lrmooreCommented:
0
 
tiger1477Author Commented:
The fixup command didn't work...I remember reading about adding ports other then default on Cisco's website that I think said you have to use ACL's to do it but I can't find it again.  We haven't had any problems out of our VPN in the last couple of weeks.  It is running PIX version 6.2(1) and yes we are using 506E's at both ends.  If it goes offline again I will try the debug...any other suggestions on the ftp?
0
 
lrmooreCommented:
Is the ftp server inside your network to be accessed from outside? Then you need access-list or conduit:

access-list ACL_IN permit any host 123.45.67.8 eq [port#]

fixup protocol ftp [port#]

If the FTP server is outside your network, then the fixup alone should work.
0
 
tiger1477Author Commented:
The server is my machine at home running G6 FTP outside my network. I figured it out you had to use the fixup protocol and an ACL from my internal to my IP at home using port 1477...here is what I added.

fixup protocol ftp 1477
access-list inside_access_in permit tcp host Wes host Wes-Home eq 1477

That ACL got it, but you had to have both.  With just the ACL all I got was authenticated but couldn't get the directory listing but once both were in it worked thanks for the help.
0
 
tiger1477Author Commented:
Thanks for the help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.