01-28-2008 08:54 AM - edited 03-11-2019 04:54 AM
I have a NATed client trying to FTP to a server on the Internet. The server is blocking the FTP connection becuase it sees the private address of my client. Is there a setting on the firewall to prevent this from happening?
01-28-2008 09:39 AM
What is the NATing device. Is this a Pix/ASA Firewall or router. If this is a Pix/ASA, do you have Fixup configured. Can you post your configuration along with details on what is the ip address of the FTP Client and FTP Server.
Regards,
Arul
** Please rate all helpful posts **
01-28-2008 10:39 AM
The NATing device is an ASA 5520. The client is being NATed. I'm not sure about the server.
01-28-2008 11:17 AM
make sure you have ftp inspection enabled in your global policy.
inspect ftp
if that doesn't work, please post what happens when you ftp to this server and exactly how it 'fails'.
01-28-2008 11:24 AM
As a test, on the ASA do this:
fixup ftp protocol 21
nat (inside) 1 0 0
global (outside) 1 interface
access-list test permit ip any any log
access-group test in interface inside
access-group test in interface outside
Now from a host inside the ASA, perform
a ftp connection. I have an ftp server
on the Intenet. If you give me your public
IP address, I can add it to my checkpoint
security policy so that you can test connecting to it.
CCIE Security
01-28-2008 01:14 PM
This is what is happening on the client side. It's not using the standard port 21 but port 1021.
connecting to 149.149.15.100:1021
login
xxxxxxx
xxxxxxx
Host type (S):UNIX (standard)
PASV
227 Entering Passive Mode(149,149,15,100,59,23)
connecting to 149.149.15.100:15127
--
!Conntection failed 149.149.15.100-connection refused
!connect error 0
PORT 172,20,46,74,7,132
500| I won't open a connection to 172.20.46.74(only to 198.146.198.101)
!Failed "port"
01-28-2008 02:28 PM
fixup protocol ftp 1021
As a security person, I am very suprised that
people still use FTP these days. Not only
the protocol is insecure, you will run into
issues like this.
I noticed that ftp server box is a Unix box.
If that is the case, why not use SecureFTP
(sFTP). sFTP is a component of sshd daemon
which is very secure. You can configure
it to run at AES256-cbc with sha-1 and allow
ssh outbound access. Everything will be ok
after that.
This is 2008, not 1998. FTP and TFTP should
be banned due to its inherent weak security by nature. TFTP should be replaced by Secure
Copy (scp).
CCIE Security
01-30-2008 05:49 AM
I don't know why they are still using FTP. It's another college who has the FTP server. Maybe they fear change. I'll try the fixup ftp 1021 command and post the results.
Inspect is the new command on the ASA for fixup correct?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide