Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2291
Views
0
Helpful
3
Replies

Passive FTP and FWSM

mark.hansel
Level 1
Level 1

‎01-07-2008 01:39 PM - edited ‎03-11-2019 04:44 AM

I'm having trouble opening a passive FTP connection between two hosts, both of which are behind firewalls and NAT'd. The FTP inspection on my end is properly inspecting the FTP traffic and is therefore seeing the "REAL" IP address as a result of the passive mode request. I believe that the firewall is therefore dropping the request because the address is different, (not the NAT Address). I can't turn off FTP Inspection because it would kill the ability to create active FTP sessions.

Is there a way to make a custom FTP Inspection rule that would allow a passive mode connection. Both hosts are behind Cisco Devices, is there some fix or workaround for this problem. BTW the warning message is:

33406002FTP port command different address: 100.100.200.5(100.100.100.1) to 10.0.8.139 on interface outside

I changed the IP's to protect the "not so innocent".

Thanks

Labels:
0 Helpful
3 Replies 3

amritpatek
Level 6
Level 6

‎01-11-2008 02:30 PM

With passive ftp the client should specify the port to be used. Make sure that the FWSM has both "ftp mode passive" and "fixup protocol ftp 21" in the config. Following links may help you

http://www.cisco.com/web/about/ac123/ac147/ac174/ac199/about_cisco_ipj_archive_article09186a00800c85a7.html

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/command/reference/ef.html#wp1587433

0 Helpful

mark.hansel
Level 1
Level 1
In response to amritpatek

‎01-14-2008 09:05 AM

Thanks, I understand what is supposed to happen during a passive FTP session. The problem appears to be that his firewall is not properly inspecting the FTP packet. He does have the global policy enabled, but for whatever reason his NAT device, which I have been told is a Cisco Firewall, is not re-writing the data portion of the 227 response. His box is replying with the non public IP address and my firewall is dropping the connection because it sees the connection as an FTP session hijack.

BTW the "FTP mode passive" command is only applicable to ftp sessions to the FWSM itself for the purpose of upgrading code or loading configuration files. It has no relevance to "external" FTP operations. The "fixup" commands have been replaced using policy statements.

Thanks for the reply.

0 Helpful

Ivan Marinovic
Level 1
Level 1
In response to mark.hansel

‎03-03-2016 12:43 AM

I have the sam problem with FWSM and FTP. Did you manage to solve this?

Thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card