Cisco PIX in front of passive FTP server not handling connections as expected.

Hi Everyone,

I've got an issue with a Cisco PIX 520 6.3(4) and a windows 2003 FTP server.

Breaks down like this.

From what I read, I thought all that was needed was the following;

"fixup protocol ftp 21"

Static mapping;

"static (inside,outside) tcp ftp ftp netmask 0 0"

Access list entry;

"access-list outside_access_in line 1 permit tcp any host eq ftp"

As I understand I don't need to open up any other port or port ranges as the fixup ftp 21 should handle the ftp session?

I have Syslog logging everying from the PIX and debugging on the pix for:

debug access-list all
debug fixup tcp

I also have a basic packet sniffer on my FTP Server.

When I connect from a web browser (ie.6) outside this network  the connection appears to hang.

The access list hitcnt shows that the PIX has passed the incoming request to FTP server and the syslog shows that it has built the incoming connection;

%PIX-6-305012: Teardown static TCP translation from inside: to outside: duration 0:02:07
%PIX-6-302014: Teardown TCP connection 31 for outside: to inside: duration 0:02:01 bytes 0 SYN Timeout
%PIX-6-302013: Built inbound TCP connection 31 for outside: ( to inside: (
%PIX-6-305011: Built static TCP translation from inside: to outside:

The sniffer show that the FTP server has recieved the request and is trying to pass info back to

IP Src                  IP Dest            Port Scr                     Port Dest                        1085            21                        21            1085                        1085            21                        21            1085                        1085            21                        1085            21                         21            1085                        1085            21                        1085            21

The debug on the pix shows this;

tcpseq: rexmit packet seq=552032555, snd_next=552032556, window (552032556-552098091)
ftp: ( <-
        ftp: empty ack packet

Any help is much appreciated..



The pix conf is below with owner details removed etc;

PIX Version 6.3(4)
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside_access_in permit tcp any host eq ftp
pager lines 24
logging on
logging trap informational
logging host inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside
ip address inside
no ip address intf2
no ip address intf3
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
static (inside,outside) tcp ftp ftp netmask 0 0
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
console timeout 0
terminal width 80
Who is Participating?
calvinetterConnect With a Mentor Commented:
>Yes this did indeed work...
  Did you change your static NAT entry to the following? -> static (inside,outside)
  AND did you clear the NAT table?  ->  clear xlate

>I got this working on a test pix on a test network...
  Ok, in that case it doesn't seem to be the config at this point.  That leaves whatever's outside the PIX - your DSL router, etc.   You need to be absolutely sure your router is allowing *all* TCP traffic (all TCP ports) to the public IP assigned to the FTP server ( ?) - don't worry, the PIX will filter traffic to this server.

What are the IP ranges/subnet masks used on the router? I assume the DSL side has an IP on a different subnet than the 100.100.100.x range used by the PIX outside interface & the IP used in the PIX static NAT entry?

>...even tried a telnet session on port 21 from the hitcnt on the access list...
   Check the router - it's most likely the culprit blocking traffic to your server.  If still having problems & IF this is a Cisco router, please post the router's complete but sanitized config (passwords removed, public IPs masked like so: x.x.23.1, all subnet masks left intact).

Seems your static NAT entry is killing it.  You're only doing port-forwarding on TCP port 21, so any other traffic from the internal server would be getting NAT'd to the PIX outside interface IP, & since this is a different IP, the process is fubar.
  Since I see no other static NAT entries using, do this instead:
clear local
clear xlate
no static (inside,outside) tcp ftp ftp
static (inside,outside)
clear xlate

The new static NAT entry ensures all traffic from the .190 server is coming from, regardless of source port or protocol.

Hightower_8Author Commented:
Hi Calvinetter,

Yes this did indeed work and sorry for the delay in getting back to you. However the issue I have is that I got this working on a test pix on a test  network that I have in the office, running the same software version and extact same config as my live pix.

The really annoying thing is that it just doesn't work on my live PIX.

I have troubleshooted all I can think and I can't understand why. There is nothing special about the connection, a standard DSL line, a router that passes everything through to the PIX and FTP works for clients inside downloading from websites outside of our network.

The weird thing is I have even tried a telnet session on port 21 from the outside and it just doesn't seem to register on the PIX at all, no hitcnt on the access list and no mention of building any FTP sessions...

I'm down to the lowest form of troubleshooting now... rebooting the PIX and Router our of hours tomorrow.. :(

You've got the points but before you go... any thread of adivce or things to look for or try would be useful for tomorrow.

All the best,

Hightower_8Author Commented:
Hi Calvinetter,

It was the router... (I just knew it couldn't be the PIX)

It was inherited and after waiting ages to get the password, I reset it and setup the config myself.  It was letting everything through except FTP!!

Thanks a lot for your logical replies.. it kept me sane  :)


Glad it worked out.  You're welcome!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.