Problems with internal clients using active FTP through PIX

rimbertr1 · ‎01-24-2008

From a host in our inside subnet, using active FTP we can connect to an FTP server out in the Internet but cannot get a list of files. Passive FTP works fine.

I do have "fixup protocol ftp 21" which I thought is supposed to fix this very issue but I can't use active FTP. I've tried a couple of other FTP servers and same thing, I can connect but cannot get data.

Our router between the ISP and the PIX is currently set to allow everything in and out so it's not that.

I'm using PIX Version 6.3(5).

Is there something else I'm supposed to do to make active FTP work for hosts on the inside? Unfortunately, using passive FTP is not an option for what we need to do.

rimbertr1 · ‎01-24-2008

I forgot to add. I also tried allowing from any source from port 20 to the internal hosts destination port > 1024 on the PIX and it didn't make a difference.

Anyone else out there run into this?

srue · ‎01-24-2008

does it happen with only a particular FTP server out on the internet, or all active ftp servers out on the net?

I know you said you tried allowing tcp/20 from the source to your internal hosts, but have you tried allowing tcp/any from the particular ftp server to any internal?

rimbertr1 · ‎01-28-2008

Something is really screwy. I thought passive FTP worked on all of them but it doesn't - only one (my personal FTP site) works in passive FTP but the other three I've tried doesn't work with either active or passive as far as getting the data (I can log in fine).

I did try on one of the FTP sources allowing tcp any to tcp any on a host inside and it didn't make a difference. Even when I tried it for my personal FTP site, I still couldn't get active FTP to work.

I think I'm gonna try to clear some arp caches on the switches - maybe they've gotten corrupted? I've already cleared the translate table on the PIX but that didn't make a difference.