Solved

Cisco Pix blocking FTP traffic

Posted on 2004-10-26
3,972 Views
Last Modified: 2013-11-29
We have a Winodws 2000 server running the ftp server behind a cisco pix firewall. The ftp service is configured for port 121. I have opened ports 120 (ftp data) and 121 through the firewall. My client is still unable to ftp to my server. I checked my system log messages and here is what I found (client = client ip address, server = our server ip address).

Oct 25 2004 12:26:45: %PIX-6-302013: Built inbound TCP connection 31023938 for outside:CLIENT/1244 (CLIENT/1244) to inside:SERVER/121 (SERVER/121)
Oct 25 2004 12:26:46: %PIX-4-406002: FTP port command different address: CLIENT(192.168.0.1) to SERVER on interface outside
Oct 25 2004 12:26:46: %PIX-6-302014: Teardown TCP connection 31023938 for outside:CLIENT/1244 to inside:SERVER/121 duration 0:00:01 bytes 288 Deny
Oct 25 2004 12:26:47: %PIX-6-106015: Deny TCP (no connection) from SERVER/121 to CLIENT/1244 flags PSH ACK  on interface inside
Oct 25 2004 12:26:47: %PIX-6-106015: Deny TCP (no connection) from CLIENT/1244 to SERVER/121 flags PSH ACK  on interface outside
Oct 25 2004 12:26:50: %PIX-6-106015: Deny TCP (no connection) from CLIENT/1244 to SERVER/121 flags PSH ACK  on interface outside
Oct 25 2004 12:26:55: %PIX-6-106015: Deny TCP (no connection) from CLIENT/1244 to SERVER/121 flags PSH ACK  on interface outside
Oct 25 2004 12:27:06: %PIX-6-106015: Deny TCP (no connection) from CLIENT/1244 to SERVER/121 flags PSH ACK  on interface outside
Oct 25 2004 12:27:26: %PIX-6-106015: Deny TCP (no connection) from CLIENT/1244 to SERVER/121 flags PSH ACK  on interface outside

This ftp attempt was made by the client using WS_FTP behind a router running NAT. His client ip address (not the router) is 192.168.0.1. Anybody know what configuration I can change to fix this? Apparently the firewall has mistaken a nat client for a spoofed connection.
0
Question by:periker
    5 Comments
     

    Author Comment

    by:periker
    One other note. The client is able to connect in passive mode but not active mode. They need active mode to work in order to ftp via a batch file using microsoft's ftp.
    0
     
    LVL 4

    Expert Comment

    by:thribhu
    i doubt due to double natiing at your end and client end this problem may occur,
    any have ask him to get connected using public IP from hos end.............
    0
     
    LVL 5

    Expert Comment

    by:epylko
    You might want to try "fixup protocol ftp 121" (I think the syntax is correct) so the PIX knows to fix FTP traffic that is running on a non-standard port.

    -Eric
    0
     

    Author Comment

    by:periker
    I have "fixup protocol ftp 121" in my config. I don't think public ip address for his host would be possible.
    0
     
    LVL 15

    Accepted Solution

    by:
    First, the data port will not be 120, you shouldn't need to do anything special for this.

    Second, while you may have fixed your end to handle the non standard FTP port, the client end hasn't, which is why their PORT command is passing it's internal address. If they can't use a public address as someone else suggested, they need to configure their firewall/router to also allow FTP to use the control port you're using.

    Otherwise, nothing wrong with port 21.


    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Let’s list some of the technologies that enable smooth teleworking. 
    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    933 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now