Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 192
  • Last Modified:

PIX 506 2 questions in 1 need FTP help

What would the ACL look like to get FTP to work through my PIX on a different port then 20/21?  Second question is we have a PIX at our St.Louis office and here we have VPN's between us but if I reload my firewall(reboot,power it off) it's like the VPN doesn't reconnect any suggestions how to fix?
0
tiger1477
Asked:
tiger1477
  • 5
  • 5
1 Solution
 
lrmooreCommented:
first question, use:
no fixup protocol ftp 21
fixup protocol ftp [port]

How long does it take to get the VPN re-established after a reload, and do you have to do anything special?
0
 
tiger1477Author Commented:
I also want to be able to keep the standard ports open...it took about 3 hours for the firewalls to trade keys and re-establish a connection.
0
 
lrmooreCommented:
You can also keep the standard ports and have two fixup lines.

I would suggest running debug ipsec to see what's happening with the tunnels. What is the lifetime of your SA? It may be set too high. If you post your config, I might be able to see something.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
tiger1477Author Commented:
SA is 4608000KB and 8 hours.  I can just do a fixup protocol ftp[port] and add the port I want to use and I will be able to use both 21 and my port?  I am leaving for the weekend but will follow up with you on monday.
0
 
lrmooreCommented:
0
 
tiger1477Author Commented:
The fixup command didn't work...I remember reading about adding ports other then default on Cisco's website that I think said you have to use ACL's to do it but I can't find it again.  We haven't had any problems out of our VPN in the last couple of weeks.  It is running PIX version 6.2(1) and yes we are using 506E's at both ends.  If it goes offline again I will try the debug...any other suggestions on the ftp?
0
 
lrmooreCommented:
Is the ftp server inside your network to be accessed from outside? Then you need access-list or conduit:

access-list ACL_IN permit any host 123.45.67.8 eq [port#]

fixup protocol ftp [port#]

If the FTP server is outside your network, then the fixup alone should work.
0
 
tiger1477Author Commented:
The server is my machine at home running G6 FTP outside my network. I figured it out you had to use the fixup protocol and an ACL from my internal to my IP at home using port 1477...here is what I added.

fixup protocol ftp 1477
access-list inside_access_in permit tcp host Wes host Wes-Home eq 1477

That ACL got it, but you had to have both.  With just the ACL all I got was authenticated but couldn't get the directory listing but once both were in it worked thanks for the help.
0
 
lrmooreCommented:
Love it when a plan comes together!
0
 
tiger1477Author Commented:
Thanks for the help
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now