Solved

PIX 506 2 questions in 1 need FTP help

Posted on 2002-07-12
10
186 Views
Last Modified: 2010-04-17
What would the ACL look like to get FTP to work through my PIX on a different port then 20/21?  Second question is we have a PIX at our St.Louis office and here we have VPN's between us but if I reload my firewall(reboot,power it off) it's like the VPN doesn't reconnect any suggestions how to fix?
0
Comment
Question by:tiger1477
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 7150307
first question, use:
no fixup protocol ftp 21
fixup protocol ftp [port]

How long does it take to get the VPN re-established after a reload, and do you have to do anything special?
0
 

Author Comment

by:tiger1477
ID: 7150380
I also want to be able to keep the standard ports open...it took about 3 hours for the firewalls to trade keys and re-establish a connection.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7150396
You can also keep the standard ports and have two fixup lines.

I would suggest running debug ipsec to see what's happening with the tunnels. What is the lifetime of your SA? It may be set too high. If you post your config, I might be able to see something.
0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 

Author Comment

by:tiger1477
ID: 7150431
SA is 4608000KB and 8 hours.  I can just do a fixup protocol ftp[port] and add the port I want to use and I will be able to use both 21 and my port?  I am leaving for the weekend but will follow up with you on monday.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7150440
0
 

Author Comment

by:tiger1477
ID: 7196017
The fixup command didn't work...I remember reading about adding ports other then default on Cisco's website that I think said you have to use ACL's to do it but I can't find it again.  We haven't had any problems out of our VPN in the last couple of weeks.  It is running PIX version 6.2(1) and yes we are using 506E's at both ends.  If it goes offline again I will try the debug...any other suggestions on the ftp?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7196145
Is the ftp server inside your network to be accessed from outside? Then you need access-list or conduit:

access-list ACL_IN permit any host 123.45.67.8 eq [port#]

fixup protocol ftp [port#]

If the FTP server is outside your network, then the fixup alone should work.
0
 

Author Comment

by:tiger1477
ID: 7196650
The server is my machine at home running G6 FTP outside my network. I figured it out you had to use the fixup protocol and an ACL from my internal to my IP at home using port 1477...here is what I added.

fixup protocol ftp 1477
access-list inside_access_in permit tcp host Wes host Wes-Home eq 1477

That ACL got it, but you had to have both.  With just the ACL all I got was authenticated but couldn't get the directory listing but once both were in it worked thanks for the help.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 50 total points
ID: 7196784
Love it when a plan comes together!
0
 

Author Comment

by:tiger1477
ID: 7196996
Thanks for the help
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Deny permission ACL 16 47
AS-Path BGP Attribute 7 30
Management of Huawei B315 2 25
Cisco 2911 Router - slow download speeds but very fast upload speeds 5 43
New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question