Cisco Pix blocking FTP traffic

We have a Winodws 2000 server running the ftp server behind a cisco pix firewall. The ftp service is configured for port 121. I have opened ports 120 (ftp data) and 121 through the firewall. My client is still unable to ftp to my server. I checked my system log messages and here is what I found (client = client ip address, server = our server ip address).

Oct 25 2004 12:26:45: %PIX-6-302013: Built inbound TCP connection 31023938 for outside:CLIENT/1244 (CLIENT/1244) to inside:SERVER/121 (SERVER/121)
Oct 25 2004 12:26:46: %PIX-4-406002: FTP port command different address: CLIENT(192.168.0.1) to SERVER on interface outside
Oct 25 2004 12:26:46: %PIX-6-302014: Teardown TCP connection 31023938 for outside:CLIENT/1244 to inside:SERVER/121 duration 0:00:01 bytes 288 Deny
Oct 25 2004 12:26:47: %PIX-6-106015: Deny TCP (no connection) from SERVER/121 to CLIENT/1244 flags PSH ACK  on interface inside
Oct 25 2004 12:26:47: %PIX-6-106015: Deny TCP (no connection) from CLIENT/1244 to SERVER/121 flags PSH ACK  on interface outside
Oct 25 2004 12:26:50: %PIX-6-106015: Deny TCP (no connection) from CLIENT/1244 to SERVER/121 flags PSH ACK  on interface outside
Oct 25 2004 12:26:55: %PIX-6-106015: Deny TCP (no connection) from CLIENT/1244 to SERVER/121 flags PSH ACK  on interface outside
Oct 25 2004 12:27:06: %PIX-6-106015: Deny TCP (no connection) from CLIENT/1244 to SERVER/121 flags PSH ACK  on interface outside
Oct 25 2004 12:27:26: %PIX-6-106015: Deny TCP (no connection) from CLIENT/1244 to SERVER/121 flags PSH ACK  on interface outside

This ftp attempt was made by the client using WS_FTP behind a router running NAT. His client ip address (not the router) is 192.168.0.1. Anybody know what configuration I can change to fix this? Apparently the firewall has mistaken a nat client for a spoofed connection.
perikerAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
FrabbleConnect With a Mentor Commented:
First, the data port will not be 120, you shouldn't need to do anything special for this.

Second, while you may have fixed your end to handle the non standard FTP port, the client end hasn't, which is why their PORT command is passing it's internal address. If they can't use a public address as someone else suggested, they need to configure their firewall/router to also allow FTP to use the control port you're using.

Otherwise, nothing wrong with port 21.


0
 
perikerAuthor Commented:
One other note. The client is able to connect in passive mode but not active mode. They need active mode to work in order to ftp via a batch file using microsoft's ftp.
0
 
thribhuCommented:
i doubt due to double natiing at your end and client end this problem may occur,
any have ask him to get connected using public IP from hos end.............
0
 
epylkoCommented:
You might want to try "fixup protocol ftp 121" (I think the syntax is correct) so the PIX knows to fix FTP traffic that is running on a non-standard port.

-Eric
0
 
perikerAuthor Commented:
I have "fixup protocol ftp 121" in my config. I don't think public ip address for his host would be possible.
0
All Courses

From novice to tech pro — start learning today.