Solved

PIX FTP Fixup

Posted on 2004-09-10
3
1,109 Views
Last Modified: 2013-11-29
I'm trying to allow a client behind the firewall to upload (STOR) files in active mode to a server across the internet.  I am using NAT and have configured the ftp fixup with and without the strict option and so far the remote ftp server has been unable to open a data connection to my client.

After enabling auditing I can see that the server is attempting to open a socket to my client on the port number listed in the PORT command but the PIX is denying the connection due to the access list attached to the outside interface.  My understanding of the fixup command was that the PIX would open a temporary hole in the firewall so the existing access-list rules would not apply.  Anyways, it appears that the fixup command is correctly NAT'ing the internal IP address listed in the PORT command since I'm getting a connection request back, but it's not opening up a hole for the data port.

My customer's server is behind it's own firewall,  I've tried using passive mode but whatever their firewall is, it's not letting me open an inboud data connection either.  So I'd rather stay in active mode and fix the problem on my side.

Any thoughts?
0
Comment
Question by:dcrysler
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12029130
You can try explicitly permitting the high ports from that server inbound in your inbound access-list, just as a temporary measure..

access-list outside_in permit tcp host <server> host <PIX IP> gt 1024

But, you are correct that the fixup "should" allow your client to work in active mode.

It may still be an issue with your customer's firewall not permitting outbound > 1024 for ftp ....
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12029154
Sorry, I got the passive and active backwards...

Disregard the access-list entry..

Perhaps port 20 is not open on the other firewall?

Have you tried disabling fixup ftp and using passive mode?
0
 
LVL 1

Author Comment

by:dcrysler
ID: 12029489
Never mind, it looks like I'll have to use passive mode. I did try it without success,  but the error ended up being on my customers side.  Their ftp server is multi-homed with the ftp server listening on a secondary address.  When their server tries to open the data connection it uses it's primary ip address causing PIX to reject it.

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
google exe file 5 68
Netgear modem router default firmware 11 32
tamper proof asset tags - benefits 4 27
what is mstp 6 37
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question