Solved

PIX 506 2 questions in 1 need FTP help

Posted on 2002-07-12
10
187 Views
Last Modified: 2010-04-17
What would the ACL look like to get FTP to work through my PIX on a different port then 20/21?  Second question is we have a PIX at our St.Louis office and here we have VPN's between us but if I reload my firewall(reboot,power it off) it's like the VPN doesn't reconnect any suggestions how to fix?
0
Comment
Question by:tiger1477
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 7150307
first question, use:
no fixup protocol ftp 21
fixup protocol ftp [port]

How long does it take to get the VPN re-established after a reload, and do you have to do anything special?
0
 

Author Comment

by:tiger1477
ID: 7150380
I also want to be able to keep the standard ports open...it took about 3 hours for the firewalls to trade keys and re-establish a connection.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7150396
You can also keep the standard ports and have two fixup lines.

I would suggest running debug ipsec to see what's happening with the tunnels. What is the lifetime of your SA? It may be set too high. If you post your config, I might be able to see something.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:tiger1477
ID: 7150431
SA is 4608000KB and 8 hours.  I can just do a fixup protocol ftp[port] and add the port I want to use and I will be able to use both 21 and my port?  I am leaving for the weekend but will follow up with you on monday.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7150440
0
 

Author Comment

by:tiger1477
ID: 7196017
The fixup command didn't work...I remember reading about adding ports other then default on Cisco's website that I think said you have to use ACL's to do it but I can't find it again.  We haven't had any problems out of our VPN in the last couple of weeks.  It is running PIX version 6.2(1) and yes we are using 506E's at both ends.  If it goes offline again I will try the debug...any other suggestions on the ftp?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 7196145
Is the ftp server inside your network to be accessed from outside? Then you need access-list or conduit:

access-list ACL_IN permit any host 123.45.67.8 eq [port#]

fixup protocol ftp [port#]

If the FTP server is outside your network, then the fixup alone should work.
0
 

Author Comment

by:tiger1477
ID: 7196650
The server is my machine at home running G6 FTP outside my network. I figured it out you had to use the fixup protocol and an ACL from my internal to my IP at home using port 1477...here is what I added.

fixup protocol ftp 1477
access-list inside_access_in permit tcp host Wes host Wes-Home eq 1477

That ACL got it, but you had to have both.  With just the ACL all I got was authenticated but couldn't get the directory listing but once both were in it worked thanks for the help.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 50 total points
ID: 7196784
Love it when a plan comes together!
0
 

Author Comment

by:tiger1477
ID: 7196996
Thanks for the help
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question