Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
921
Views
0
Helpful
7
Replies

NAT and FTP problem

randyclark
Level 1
Level 1

‎01-28-2008 08:54 AM - edited ‎03-11-2019 04:54 AM

I have a NATed client trying to FTP to a server on the Internet. The server is blocking the FTP connection becuase it sees the private address of my client. Is there a setting on the firewall to prevent this from happening?

Labels:
0 Helpful
7 Replies 7

ajagadee
Cisco Employee
Cisco Employee

‎01-28-2008 09:39 AM

What is the NATing device. Is this a Pix/ASA Firewall or router. If this is a Pix/ASA, do you have Fixup configured. Can you post your configuration along with details on what is the ip address of the FTP Client and FTP Server.

Regards,

Arul

** Please rate all helpful posts **

0 Helpful

randyclark
Level 1
Level 1
In response to ajagadee

‎01-28-2008 10:39 AM

The NATing device is an ASA 5520. The client is being NATed. I'm not sure about the server.

0 Helpful

srue
Level 7
Level 7
In response to randyclark

‎01-28-2008 11:17 AM

make sure you have ftp inspection enabled in your global policy.

inspect ftp

if that doesn't work, please post what happens when you ftp to this server and exactly how it 'fails'.

0 Helpful

cisco24x7
Level 6
Level 6
In response to srue

‎01-28-2008 11:24 AM

As a test, on the ASA do this:

fixup ftp protocol 21

nat (inside) 1 0 0

global (outside) 1 interface

access-list test permit ip any any log

access-group test in interface inside

access-group test in interface outside

Now from a host inside the ASA, perform

a ftp connection. I have an ftp server

on the Intenet. If you give me your public

IP address, I can add it to my checkpoint

security policy so that you can test connecting to it.

CCIE Security

0 Helpful

randyclark
Level 1
Level 1
In response to srue

‎01-28-2008 01:14 PM

This is what is happening on the client side. It's not using the standard port 21 but port 1021.

connecting to 149.149.15.100:1021

login

xxxxxxx

xxxxxxx

Host type (S):UNIX (standard)

PASV

227 Entering Passive Mode(149,149,15,100,59,23)

connecting to 149.149.15.100:15127

--

!Conntection failed 149.149.15.100-connection refused

!connect error 0

PORT 172,20,46,74,7,132

500| I won't open a connection to 172.20.46.74(only to 198.146.198.101)

!Failed "port"

0 Helpful

cisco24x7
Level 6
Level 6
In response to randyclark

‎01-28-2008 02:28 PM

fixup protocol ftp 1021

As a security person, I am very suprised that

people still use FTP these days. Not only

the protocol is insecure, you will run into

issues like this.

I noticed that ftp server box is a Unix box.

If that is the case, why not use SecureFTP

(sFTP). sFTP is a component of sshd daemon

which is very secure. You can configure

it to run at AES256-cbc with sha-1 and allow

ssh outbound access. Everything will be ok

after that.

This is 2008, not 1998. FTP and TFTP should

be banned due to its inherent weak security by nature. TFTP should be replaced by Secure

Copy (scp).

CCIE Security

0 Helpful

randyclark
Level 1
Level 1
In response to cisco24x7

‎01-30-2008 05:49 AM

I don't know why they are still using FTP. It's another college who has the FTP server. Maybe they fear change. I'll try the fixup ftp 1021 command and post the results.

Inspect is the new command on the ASA for fixup correct?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card