Solved

Having trouble getting FTP to work on PIX 501

Posted on 2004-08-11
5
1,084 Views
Last Modified: 2008-01-09
I have a newly installed PIX 501 that is working (finally).  The last thing I'm having trouble with is ftp.  I use port 2121 for ftp.  When I ftp i get prompted for username and password.  I enter in the information and then get an error that says "the connection with the server was reset"  I have tried this with passive on, and with passive off.  Still the same message.  I'm running kiwi syslog and this is the output.

Aug 11 2004 10:53:39: %PIX-6-302010: 8 in use, 27 most used
Aug 11 2004 10:52:19: %PIX-6-302014: Teardown TCP connection 3022 for outside:218.168.181.179/2093 to inside:192.168.1.10/4899 duration 0:00:01 bytes 56 TCP FINs
Aug 11 2004 10:52:18: %PIX-6-302013: Built inbound TCP connection 3022 for outside:218.168.181.179/2093 (218.168.181.179/2093) to inside:192.168.1.10/4899 (24.1.36.238/4899)
Keep-alive message
Aug 11 2004 10:48:10: %PIX-6-305012: Teardown static TCP translation from inside:192.168.1.10/2121 to outside:24.1.36.238/2121 duration 0:01:05
Aug 11 2004 10:48:07: %PIX-6-302014: Teardown TCP connection 3020 for outside:66.147.170.99/50410 to inside:192.168.1.10/2121 duration 0:00:50 bytes 243 TCP FINs
Aug 11 2004 10:47:39: %PIX-6-106015: Deny TCP (no connection) from 66.147.170.99/50411 to 24.1.36.238/2121 flags PSH ACK  on interface outside
Aug 11 2004 10:47:28: %PIX-6-106015: Deny TCP (no connection) from 66.147.170.99/50411 to 24.1.36.238/2121 flags PSH ACK  on interface outside
Aug 11 2004 10:47:22: %PIX-6-106015: Deny TCP (no connection) from 66.147.170.99/50411 to 24.1.36.238/2121 flags PSH ACK  on interface outside
Aug 11 2004 10:47:19: %PIX-6-106015: Deny TCP (no connection) from 66.147.170.99/50411 to 24.1.36.238/2121 flags PSH ACK  on interface outside
Aug 11 2004 10:47:18: %PIX-6-106015: Deny TCP (no connection) from 192.168.1.10/2121 to 66.147.170.99/50411 flags PSH ACK  on interface inside
Aug 11 2004 10:47:18: %PIX-6-106015: Deny TCP (no connection) from 66.147.170.99/50411 to 24.1.36.238/2121 flags PSH ACK  on interface outside
Aug 11 2004 10:47:17: %PIX-6-302014: Teardown TCP connection 3021 for outside:66.147.170.99/50411 to inside:192.168.1.10/2121 duration 0:00:01 bytes 271 Deny
Aug 11 2004 10:47:17: %PIX-4-406002: FTP port command different address: 66.147.170.99(192.168.101.130) to 192.168.1.10 on interface outside
Aug 11 2004 10:47:17: %PIX-6-302013: Built inbound TCP connection 3021 for outside:66.147.170.99/50411 (66.147.170.99/50411) to inside:192.168.1.10/2121 (24.1.36.238/2121)
Aug 11 2004 10:47:16: %PIX-6-302013: Built inbound TCP connection 3020 for outside:66.147.170.99/50410 (66.147.170.99/50410) to inside:192.168.1.10/2121 (24.1.36.238/2121)
Aug 11 2004 10:47:06: %PIX-6-302014: Teardown TCP connection 3019 for outside:66.147.170.99/50390 to inside:192.168.1.10/2121 duration 0:00:01 bytes 137 TCP FINs
Aug 11 2004 10:47:05: %PIX-6-302014: Teardown TCP connection 3018 for outside:66.147.170.99/50389 to inside:192.168.1.10/2121 duration 0:00:01 bytes 137 TCP FINs
Aug 11 2004 10:47:05: %PIX-6-302013: Built inbound TCP connection 3019 for outside:66.147.170.99/50390 (66.147.170.99/50390) to inside:192.168.1.10/2121 (24.1.36.238/2121)
Aug 11 2004 10:47:05: %PIX-6-302013: Built inbound TCP connection 3018 for outside:66.147.170.99/50389 (66.147.170.99/50389) to inside:192.168.1.10/2121 (24.1.36.238/2121)
Aug 11 2004 10:47:05: %PIX-6-305011: Built static TCP translation from inside:192.168.1.10/2121 to outside:24.1.36.238/2121


Thanks to anyone that can help

0
Comment
Question by:RayDoran
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11775576
Hi RayDoran,
> Aug 11 2004 10:47:17: %PIX-6-302014: Teardown TCP connection 3021 for
> outside:66.147.170.99/50411 to inside:192.168.1.10/2121 duration 0:00:01
> bytes 271 Deny
> Aug 11 2004 10:47:17: %PIX-4-406002: FTP port command different address:
> 66.147.170.99(192.168.101.130) to 192.168.1.10 on interface outside

From where are you testing the ftp server?
Are you testing it from a machine directly connected to the Internet?
You know you cannot test it from another machine behind the same PIX?
0
 

Author Comment

by:RayDoran
ID: 11777178
I'm at the office connecting back to the house.  I turned off passive, and directed it back to port 21 and its working.  I think it might be the settings in the ftp server.  
0
 
LVL 36

Expert Comment

by:grblades
ID: 11777217
Could it be a firewall issue at work?
0
 

Author Comment

by:RayDoran
ID: 11778130
I dont think so because it was working fine before i installed the PIX at the house.  I did test something.  I was able to login to the ftp server and look at the files.  I was even able to download some files, but when I try to upload it wants me to enter in username and password again and again and again.........  It will never upload the file.  I started and ftp program (flashfxp) and was able to upload and download just fine.  Not sure what the deal is??
0
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
ID: 11779023
I can't see how the PIX could be causing that as you can connect and establish a data connection. Can you turn on logging on the ftp server so you can see all the commands and responses to it.
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question