• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 447
  • Last Modified:

Allow FTP traffic through PIX to internal FTP server

I am having trouble getting FTP to work through my PIX fierwall. I used to have it working, but during an effort to get a client VPN setup we made some changes to the firewall. We ended up setting up the VPN on a different PIX and now I am left with my FTP site not working. The FTP site works fine internaly so I know it is working. Please Help!!!
Here is my current config on my PIX:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
nameif ethernet3 dmz2 security15
nameif ethernet4 dmz3 security20
nameif ethernet5 dmz4 security25
enable password XXXXXXXXXXXXXXX encrypted
hostname PIXFW01
domain-name ad.XxX.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol h323 ras 1718-1719
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host eq ftp
access-list outside permit tcp any any eq 1723
access-list nonat permit ip
access-list inbound permit tcp any any eq ftp
pager lines 24
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu dmz3 1500
mtu dmz4 1500
ip address outside
ip address inside
ip address dmz1
ip address dmz2
ip address dmz3
ip address dmz4
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside
failover ip address inside
failover ip address dmz1
failover ip address dmz2
failover ip address dmz3
failover ip address dmz4
pdm logging informational 100
no pdm history enable
arp timeout 14400
global (outside) 1 netmask
nat (inside) 1 0 0
nat (dmz1) 1 0 0
static (inside,outside) tcp ftp ftp netmask 0 0
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
isakmp enable outside
isakmp key ******** address netmask
isakmp key ******** address netmask
isakmp identity address
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
vpngroup ciscotac idle-time 1800
vpngroup XxXVPN idle-time 1800
telnet outside
telnet inside
telnet inside
telnet dmz1
telnet dmz2
telnet dmz3
telnet dmz4
telnet timeout 5
ssh timeout 30
terminal width 80
  • 4
  • 3
  • 3
1 Solution
I see no 'ftp mode passive', but that may not have any effect.

This one is interesting.
static (inside,outside) tcp ftp ftp netmask 0 0

So your mapping an outside ftp server internally, can you access it from this address?

Is the FTP server the same address? (

And how are you accessing it internally? (ip address)..
PCWimpAuthor Commented:
This one is interesting.
static (inside,outside) tcp ftp ftp netmask 0 0
So your mapping an outside ftp server internally, can you access it from this address?

Is the FTP server the same address? (

And how are you accessing it internally? (ip address)..
[I am able to access it by server name and IP address]

PCWimpAuthor Commented:
Upgraded account and incressed the points on this question!
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

What else could have happened to the public IP? Is it the one used for VPN access by chance?

PCWimpAuthor Commented:
I tried to use that one for VPN but removed the commands I entered for it. I ended up setting up the VPN on a different PIX in a different site.
you may need to double check the other PIX for issues with this IP.

Have you turn the other off to eliminate it for testing?

PCWimpAuthor Commented:
The other pix is in a different site. Different state... Totaly different internet connection, provider and ip range. Even the internal ip addresses are different.
Your access-group command seems to be missing. If you have no ACE allowing inbound traffic from the outside it will be dropped by default as this would be passing from a lower to higher security level.

access-group 100 in interface outside
I meant from higher to lower security level.
sorry pls delete that my post...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

  • 4
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now