PIX FTP Fixup
Posted on 2004-09-10
I'm trying to allow a client behind the firewall to upload (STOR) files in active mode to a server across the internet. I am using NAT and have configured the ftp fixup with and without the strict option and so far the remote ftp server has been unable to open a data connection to my client.
After enabling auditing I can see that the server is attempting to open a socket to my client on the port number listed in the PORT command but the PIX is denying the connection due to the access list attached to the outside interface. My understanding of the fixup command was that the PIX would open a temporary hole in the firewall so the existing access-list rules would not apply. Anyways, it appears that the fixup command is correctly NAT'ing the internal IP address listed in the PORT command since I'm getting a connection request back, but it's not opening up a hole for the data port.
My customer's server is behind it's own firewall, I've tried using passive mode but whatever their firewall is, it's not letting me open an inboud data connection either. So I'd rather stay in active mode and fix the problem on my side.