Pix Firewall issues

Posted on 2006-05-31
Last Modified: 2013-11-16
I'm having issues with a PIX 501 firewall.  First trouble was trying to figure out why an FTP service is not accessible on a Windows Server 2003 machine with no firewall (because RRAS is enabled).  The same FTP service runs fine on a separate Win XP machine with the Windows Firewall enabled and TCP port 21 allowed.

I have fixup enabled for ftp.

3 public IPs - one pix and two machines behind pix.

Another strange thing that I noticed is the following:

Locally, when I telnet to 25 - I get the following response:
220 Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at  We
d, 31 May 2006 11:06:15 -0400

Remotely, when I telnet to the public IP that is forwarded to for TCP port 25, I get:
220 ****************************

I do receive mail, but that isn't normal is it?

Question by:wynbryant

    Author Comment

    current running config:

    PIX Version 6.3(4)

    interface ethernet0 auto

    interface ethernet1 100full

    nameif ethernet0 outside security0

    nameif ethernet1 inside security100

    hostname pixfirewall


    fixup protocol dns maximum-length 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol skinny 2000

    fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69


    access-list acl_out permit tcp any host eq www

    access-list acl_out permit tcp any host eq https

    access-list acl_out permit tcp any host eq pptp

    access-list acl_out permit udp any host eq isakmp

    access-list acl_out permit gre any host

    access-list acl_out permit tcp any host eq smtp

    access-list acl_out permit tcp any host eq ftp

    access-list acl_out permit tcp any host eq 3389

    access-list acl_out permit tcp any host eq 3389

    access-list acl_out permit tcp any host eq ftp

    access-list acl_out permit tcp any host eq ftp-data

    pager lines 24

    mtu outside 1500

    mtu inside 1500

    ip address outside

    ip address inside

    ip audit info action alarm

    ip audit attack action alarm

    pdm location inside

    pdm location outside

    pdm logging informational 100

    pdm history enable

    arp timeout 14400

    global (outside) 1 interface

    nat (inside) 1 0 0

    static (inside,outside) netmask 0 0

    static (inside,outside) netmask 0 0

    access-group acl_out in interface outside

    route outside 1

    timeout xlate 0:05:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+

    aaa-server TACACS+ max-failed-attempts 3

    aaa-server TACACS+ deadtime 10

    aaa-server RADIUS protocol radius

    aaa-server RADIUS max-failed-attempts 3

    aaa-server RADIUS deadtime 10

    aaa-server LOCAL protocol local

    http server enable

    http inside

    no snmp-server location

    no snmp-server contact

    snmp-server community public

    no snmp-server enable traps

    floodguard enable
    sysopt connection permit-pptp

    telnet timeout 5

    ssh timeout 5

    console timeout 0

    terminal width 80

    : end

    LVL 79

    Accepted Solution

    Easy ones first:

    >fixup protocol smtp 25
    This is what is causing the anomoly when you try to telnet to port 25 from outside. It is a security "feature"
    You have to disable this fixup if you enable anti-relay features of Exchange

     no fixup protocol smtp 25

    >access-list acl_out permit tcp any host eq ftp
             <== missing ftp-data
    >access-list acl_out permit tcp any host eq ftp
    >access-list acl_out permit tcp any host eq ftp-data

    For one of the servers you have both ftp and ftp-data allowed, for the other one you only have ftp allowed. Suggest adding another line:
        access-list acl_out permit tcp any host eq ftp-data

    Author Comment

    no fixup smtp was right on.

    The issue with FTP was actually resolved by using a different application.  I found some documentation about Cerberus FTP not handling PASV port ranges appropriately.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Join & Write a Comment

    If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
    When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now