[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Cisco Pix blocking FTP traffic

Posted on 2004-10-26
5
Medium Priority
?
4,026 Views
Last Modified: 2013-11-29
We have a Winodws 2000 server running the ftp server behind a cisco pix firewall. The ftp service is configured for port 121. I have opened ports 120 (ftp data) and 121 through the firewall. My client is still unable to ftp to my server. I checked my system log messages and here is what I found (client = client ip address, server = our server ip address).

Oct 25 2004 12:26:45: %PIX-6-302013: Built inbound TCP connection 31023938 for outside:CLIENT/1244 (CLIENT/1244) to inside:SERVER/121 (SERVER/121)
Oct 25 2004 12:26:46: %PIX-4-406002: FTP port command different address: CLIENT(192.168.0.1) to SERVER on interface outside
Oct 25 2004 12:26:46: %PIX-6-302014: Teardown TCP connection 31023938 for outside:CLIENT/1244 to inside:SERVER/121 duration 0:00:01 bytes 288 Deny
Oct 25 2004 12:26:47: %PIX-6-106015: Deny TCP (no connection) from SERVER/121 to CLIENT/1244 flags PSH ACK  on interface inside
Oct 25 2004 12:26:47: %PIX-6-106015: Deny TCP (no connection) from CLIENT/1244 to SERVER/121 flags PSH ACK  on interface outside
Oct 25 2004 12:26:50: %PIX-6-106015: Deny TCP (no connection) from CLIENT/1244 to SERVER/121 flags PSH ACK  on interface outside
Oct 25 2004 12:26:55: %PIX-6-106015: Deny TCP (no connection) from CLIENT/1244 to SERVER/121 flags PSH ACK  on interface outside
Oct 25 2004 12:27:06: %PIX-6-106015: Deny TCP (no connection) from CLIENT/1244 to SERVER/121 flags PSH ACK  on interface outside
Oct 25 2004 12:27:26: %PIX-6-106015: Deny TCP (no connection) from CLIENT/1244 to SERVER/121 flags PSH ACK  on interface outside

This ftp attempt was made by the client using WS_FTP behind a router running NAT. His client ip address (not the router) is 192.168.0.1. Anybody know what configuration I can change to fix this? Apparently the firewall has mistaken a nat client for a spoofed connection.
0
Comment
Question by:periker
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 

Author Comment

by:periker
ID: 12410654
One other note. The client is able to connect in passive mode but not active mode. They need active mode to work in order to ftp via a batch file using microsoft's ftp.
0
 
LVL 4

Expert Comment

by:thribhu
ID: 12412768
i doubt due to double natiing at your end and client end this problem may occur,
any have ask him to get connected using public IP from hos end.............
0
 
LVL 5

Expert Comment

by:epylko
ID: 12413546
You might want to try "fixup protocol ftp 121" (I think the syntax is correct) so the PIX knows to fix FTP traffic that is running on a non-standard port.

-Eric
0
 

Author Comment

by:periker
ID: 12413930
I have "fixup protocol ftp 121" in my config. I don't think public ip address for his host would be possible.
0
 
LVL 15

Accepted Solution

by:
Frabble earned 150 total points
ID: 12416280
First, the data port will not be 120, you shouldn't need to do anything special for this.

Second, while you may have fixed your end to handle the non standard FTP port, the client end hasn't, which is why their PORT command is passing it's internal address. If they can't use a public address as someone else suggested, they need to configure their firewall/router to also allow FTP to use the control port you're using.

Otherwise, nothing wrong with port 21.


0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question