Solved

Cisco PIX in front of passive FTP server not handling connections as expected.

Posted on 2006-11-28
5
834 Views
Last Modified: 2013-11-16
Hi Everyone,

I've got an issue with a Cisco PIX 520 6.3(4) and a windows 2003 FTP server.

Breaks down like this.

From what I read, I thought all that was needed was the following;

"fixup protocol ftp 21"

Static mapping;

"static (inside,outside) tcp 100.100.100.10 ftp 10.0.0.190 ftp netmask 255.255.255.255 0 0"

Access list entry;

"access-list outside_access_in line 1 permit tcp any host 100.100.100.10 eq ftp"

As I understand I don't need to open up any other port or port ranges as the fixup ftp 21 should handle the ftp session?


I have Syslog logging everying from the PIX and debugging on the pix for:

debug access-list all
debug fixup tcp

I also have a basic packet sniffer on my FTP Server.


When I connect from a web browser (ie.6) outside this network  the connection appears to hang.

ftp://100.100.100.10

The access list hitcnt shows that the PIX has passed the incoming request to FTP server and the syslog shows that it has built the incoming connection;

%PIX-6-305012: Teardown static TCP translation from inside:10.0.0.190/21 to outside:100.100.100.10/21 duration 0:02:07
%PIX-6-302014: Teardown TCP connection 31 for outside:200.200.200.20/1085 to inside:10.0.0.190/21 duration 0:02:01 bytes 0 SYN Timeout
%PIX-6-302013: Built inbound TCP connection 31 for outside:200.200.200.20/1085 (200.200.200.20/1085) to inside:10.0.0.190/21 (100.100.100.10/21)
%PIX-6-305011: Built static TCP translation from inside:10.0.0.190/21 to outside:100.100.100.10/21


The sniffer show that the FTP server has recieved the request and is trying to pass info back to 200.200.200.20.


IP Src                  IP Dest            Port Scr                     Port Dest
200.200.200.20            10.0.0.190                      1085            21
10.0.0.190                            200.200.200.20      21            1085
200.200.200.20            10.0.0.190                      1085            21
10.0.0.190                            200.200.200.20      21            1085
200.200.200.20            10.0.0.190                      1085            21
200.200.200.20            10.0.0.190                      1085            21
10.0.0.190                            200.200.200.20       21            1085
200.200.200.20            10.0.0.190                      1085            21
200.200.200.20            10.0.0.190                      1085            21


The debug on the pix shows this;

tcpseq: rexmit packet seq=552032555, snd_next=552032556, window (552032556-552098091)
ftp: (10.0.0.190/21 <- 200.200.200.20/1085)
        ftp: empty ack packet


Any help is much appreciated..

Cheers,

HT


The pix conf is below with owner details removed etc;

PIX Version 6.3(4)
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any host 100.100.100.10 eq ftp
pager lines 24
logging on
logging trap informational
logging host inside 10.0.0.199
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside 100.100.100.15 255.255.255.240
ip address inside 10.0.0.200 255.255.255.0
no ip address intf2
no ip address intf3
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 100.100.100.10 ftp 10.0.0.190 ftp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 100.100.100.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
console timeout 0
terminal width 80
0
Comment
Question by:Hightower_8
  • 3
  • 2
5 Comments
 
LVL 20

Expert Comment

by:calvinetter
ID: 18033459
Seems your static NAT entry is killing it.  You're only doing port-forwarding on TCP port 21, so any other traffic from the internal server would be getting NAT'd to the PIX outside interface IP, & since this is a different IP, the process is fubar.
  Since I see no other static NAT entries using 100.100.100.10, do this instead:
clear local
clear xlate
no static (inside,outside) tcp 100.100.100.10 ftp 10.0.0.190 ftp
static (inside,outside) 100.100.100.10 10.0.0.190
clear xlate

The new static NAT entry ensures all traffic from the .190 server is coming from 100.100.100.10, regardless of source port or protocol.

cheers
0
 

Author Comment

by:Hightower_8
ID: 18100214
Hi Calvinetter,

Yes this did indeed work and sorry for the delay in getting back to you. However the issue I have is that I got this working on a test pix on a test  network that I have in the office, running the same software version and extact same config as my live pix.

The really annoying thing is that it just doesn't work on my live PIX.

I have troubleshooted all I can think and I can't understand why. There is nothing special about the connection, a standard DSL line, a router that passes everything through to the PIX and FTP works for clients inside downloading from websites outside of our network.

The weird thing is I have even tried a telnet session on port 21 from the outside and it just doesn't seem to register on the PIX at all, no hitcnt on the access list and no mention of building any FTP sessions...

I'm down to the lowest form of troubleshooting now... rebooting the PIX and Router our of hours tomorrow.. :(

You've got the points but before you go... any thread of adivce or things to look for or try would be useful for tomorrow.

All the best,

HT
0
 
LVL 20

Accepted Solution

by:
calvinetter earned 350 total points
ID: 18106439
>Yes this did indeed work...
  Did you change your static NAT entry to the following? -> static (inside,outside) 100.100.100.10 10.0.0.190
  AND did you clear the NAT table?  ->  clear xlate

>I got this working on a test pix on a test network...
  Ok, in that case it doesn't seem to be the config at this point.  That leaves whatever's outside the PIX - your DSL router, etc.   You need to be absolutely sure your router is allowing *all* TCP traffic (all TCP ports) to the public IP assigned to the FTP server (100.100.100.10 ?) - don't worry, the PIX will filter traffic to this server.

What are the IP ranges/subnet masks used on the router? I assume the DSL side has an IP on a different subnet than the 100.100.100.x range used by the PIX outside interface & the IP used in the PIX static NAT entry?

>...even tried a telnet session on port 21 from the outside...no hitcnt on the access list...
   Check the router - it's most likely the culprit blocking traffic to your server.  If still having problems & IF this is a Cisco router, please post the router's complete but sanitized config (passwords removed, public IPs masked like so: x.x.23.1, all subnet masks left intact).

cheers
0
 

Author Comment

by:Hightower_8
ID: 18107921
Hi Calvinetter,

It was the router... (I just knew it couldn't be the PIX)

It was inherited and after waiting ages to get the password, I reset it and setup the config myself.  It was letting everything through except FTP!!

Thanks a lot for your logical replies.. it kept me sane  :)

Cheers,

HT  
0
 
LVL 20

Expert Comment

by:calvinetter
ID: 18111003
Glad it worked out.  You're welcome!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now