Hightower_8
asked on
Cisco PIX in front of passive FTP server not handling connections as expected.
Hi Everyone,
I've got an issue with a Cisco PIX 520 6.3(4) and a windows 2003 FTP server.
Breaks down like this.
From what I read, I thought all that was needed was the following;
"fixup protocol ftp 21"
Static mapping;
"static (inside,outside) tcp 100.100.100.10 ftp 10.0.0.190 ftp netmask 255.255.255.255 0 0"
Access list entry;
"access-list outside_access_in line 1 permit tcp any host 100.100.100.10 eq ftp"
As I understand I don't need to open up any other port or port ranges as the fixup ftp 21 should handle the ftp session?
I have Syslog logging everying from the PIX and debugging on the pix for:
debug access-list all
debug fixup tcp
I also have a basic packet sniffer on my FTP Server.
When I connect from a web browser (ie.6) outside this network the connection appears to hang.
ftp://100.100.100.10
The access list hitcnt shows that the PIX has passed the incoming request to FTP server and the syslog shows that it has built the incoming connection;
%PIX-6-305012: Teardown static TCP translation from inside:10.0.0.190/21 to outside:100.100.100.10/21 duration 0:02:07
%PIX-6-302014: Teardown TCP connection 31 for outside:200.200.200.20/108
%PIX-6-302013: Built inbound TCP connection 31 for outside:200.200.200.20/108
%PIX-6-305011: Built static TCP translation from inside:10.0.0.190/21 to outside:100.100.100.10/21
The sniffer show that the FTP server has recieved the request and is trying to pass info back to 200.200.200.20.
IP Src IP Dest Port Scr Port Dest
200.200.200.20 10.0.0.190 1085 21
10.0.0.190 200.200.200.20 21 1085
200.200.200.20 10.0.0.190 1085 21
10.0.0.190 200.200.200.20 21 1085
200.200.200.20 10.0.0.190 1085 21
200.200.200.20 10.0.0.190 1085 21
10.0.0.190 200.200.200.20 21 1085
200.200.200.20 10.0.0.190 1085 21
200.200.200.20 10.0.0.190 1085 21
The debug on the pix shows this;
tcpseq: rexmit packet seq=552032555, snd_next=552032556, window (552032556-552098091)
ftp: (10.0.0.190/21 <- 200.200.200.20/1085)
ftp: empty ack packet
Any help is much appreciated..
Cheers,
HT
The pix conf is below with owner details removed etc;
PIX Version 6.3(4)
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any host 100.100.100.10 eq ftp
pager lines 24
logging on
logging trap informational
logging host inside 10.0.0.199
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside 100.100.100.15 255.255.255.240
ip address inside 10.0.0.200 255.255.255.0
no ip address intf2
no ip address intf3
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 100.100.100.10 ftp 10.0.0.190 ftp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 100.100.100.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
console timeout 0
terminal width 80
I've got an issue with a Cisco PIX 520 6.3(4) and a windows 2003 FTP server.
Breaks down like this.
From what I read, I thought all that was needed was the following;
"fixup protocol ftp 21"
Static mapping;
"static (inside,outside) tcp 100.100.100.10 ftp 10.0.0.190 ftp netmask 255.255.255.255 0 0"
Access list entry;
"access-list outside_access_in line 1 permit tcp any host 100.100.100.10 eq ftp"
As I understand I don't need to open up any other port or port ranges as the fixup ftp 21 should handle the ftp session?
I have Syslog logging everying from the PIX and debugging on the pix for:
debug access-list all
debug fixup tcp
I also have a basic packet sniffer on my FTP Server.
When I connect from a web browser (ie.6) outside this network the connection appears to hang.
ftp://100.100.100.10
The access list hitcnt shows that the PIX has passed the incoming request to FTP server and the syslog shows that it has built the incoming connection;
%PIX-6-305012: Teardown static TCP translation from inside:10.0.0.190/21 to outside:100.100.100.10/21 duration 0:02:07
%PIX-6-302014: Teardown TCP connection 31 for outside:200.200.200.20/108
%PIX-6-302013: Built inbound TCP connection 31 for outside:200.200.200.20/108
%PIX-6-305011: Built static TCP translation from inside:10.0.0.190/21 to outside:100.100.100.10/21
The sniffer show that the FTP server has recieved the request and is trying to pass info back to 200.200.200.20.
IP Src IP Dest Port Scr Port Dest
200.200.200.20 10.0.0.190 1085 21
10.0.0.190 200.200.200.20 21 1085
200.200.200.20 10.0.0.190 1085 21
10.0.0.190 200.200.200.20 21 1085
200.200.200.20 10.0.0.190 1085 21
200.200.200.20 10.0.0.190 1085 21
10.0.0.190 200.200.200.20 21 1085
200.200.200.20 10.0.0.190 1085 21
200.200.200.20 10.0.0.190 1085 21
The debug on the pix shows this;
tcpseq: rexmit packet seq=552032555, snd_next=552032556, window (552032556-552098091)
ftp: (10.0.0.190/21 <- 200.200.200.20/1085)
ftp: empty ack packet
Any help is much appreciated..
Cheers,
HT
The pix conf is below with owner details removed etc;
PIX Version 6.3(4)
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any host 100.100.100.10 eq ftp
pager lines 24
logging on
logging trap informational
logging host inside 10.0.0.199
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
ip address outside 100.100.100.15 255.255.255.240
ip address inside 10.0.0.200 255.255.255.0
no ip address intf2
no ip address intf3
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 100.100.100.10 ftp 10.0.0.190 ftp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 100.100.100.30 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
console timeout 0
terminal width 80
ASKER
Hi Calvinetter,
Yes this did indeed work and sorry for the delay in getting back to you. However the issue I have is that I got this working on a test pix on a test network that I have in the office, running the same software version and extact same config as my live pix.
The really annoying thing is that it just doesn't work on my live PIX.
I have troubleshooted all I can think and I can't understand why. There is nothing special about the connection, a standard DSL line, a router that passes everything through to the PIX and FTP works for clients inside downloading from websites outside of our network.
The weird thing is I have even tried a telnet session on port 21 from the outside and it just doesn't seem to register on the PIX at all, no hitcnt on the access list and no mention of building any FTP sessions...
I'm down to the lowest form of troubleshooting now... rebooting the PIX and Router our of hours tomorrow.. :(
You've got the points but before you go... any thread of adivce or things to look for or try would be useful for tomorrow.
All the best,
HT
Yes this did indeed work and sorry for the delay in getting back to you. However the issue I have is that I got this working on a test pix on a test network that I have in the office, running the same software version and extact same config as my live pix.
The really annoying thing is that it just doesn't work on my live PIX.
I have troubleshooted all I can think and I can't understand why. There is nothing special about the connection, a standard DSL line, a router that passes everything through to the PIX and FTP works for clients inside downloading from websites outside of our network.
The weird thing is I have even tried a telnet session on port 21 from the outside and it just doesn't seem to register on the PIX at all, no hitcnt on the access list and no mention of building any FTP sessions...
I'm down to the lowest form of troubleshooting now... rebooting the PIX and Router our of hours tomorrow.. :(
You've got the points but before you go... any thread of adivce or things to look for or try would be useful for tomorrow.
All the best,
HT
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Calvinetter,
It was the router... (I just knew it couldn't be the PIX)
It was inherited and after waiting ages to get the password, I reset it and setup the config myself. It was letting everything through except FTP!!
Thanks a lot for your logical replies.. it kept me sane :)
Cheers,
HT
It was the router... (I just knew it couldn't be the PIX)
It was inherited and after waiting ages to get the password, I reset it and setup the config myself. It was letting everything through except FTP!!
Thanks a lot for your logical replies.. it kept me sane :)
Cheers,
HT
Glad it worked out. You're welcome!
Since I see no other static NAT entries using 100.100.100.10, do this instead:
clear local
clear xlate
no static (inside,outside) tcp 100.100.100.10 ftp 10.0.0.190 ftp
static (inside,outside) 100.100.100.10 10.0.0.190
clear xlate
The new static NAT entry ensures all traffic from the .190 server is coming from 100.100.100.10, regardless of source port or protocol.
cheers