Passive FTP not working (with no fixup protocol ftp 21) on PIX 6.3

Unanswered Question
Nov 14th, 2008
User Badges:

I have disabled fixup ftp on the PIX 6.3 using "no fixup protocol ftp 21".


Connected to

220 "Unauthorized access is prohibited!"

User ( 12345

331 Please specify the password.


230 Login successful.

ftp> quote pasv

227 Entering Passive Mode (1,1,1,1,239,188)

ftp> ls -la

200 PORT command successful. Consider using PASV.

425 Failed to establish connection.


Nov 15 10:49:07 %PIX-4-106023: Deny tcp src sout: dst

stfin: by access-group "outacl"

Nov 15 10:49:07 %PIX-4-106023: Deny tcp src sout: dst

stfin: by access-group "outacl"

Nov 15 10:49:10 %PIX-4-106023: Deny tcp src sout: dst

stfin: by access-group "outacl"

The FTP server is at the outside leg of the PIX. The FTP client ( is on the inside leg of the PIX. When the PIX is reverted back with "fixup protocol ftp 21", everything work. It seem that the "no fixup protocol ftp 21" actually break the FTP. My understanding is that "no fixup protocol ftp 21" is only applicable if you are using active FTP (where FTP server is at outside of the network and need the PIX to do deep packet inspection on FTP to permit the FTP's server data port TCP 20 to initiate back to the inside FTP client). For my case, the FTP client is inside and using passive FTP, thus all the connection (command and data) should be initiated from the client. By right, there should be no issue. However, the "no fixup protocol ftp 21" break the passive FTP from the client.

Please advise and thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
hadbou Thu, 11/20/2008 - 14:27
User Badges:
  • Bronze, 100 points or more

The command fixup protocol ftp 21 is the default setting of this feature, and is enabled by default on the Cisco Secure PIX Firewall.This workaround will force your clients to use FTP in passive mode, and inbound FTP service will not be supported. Outbound standard FTP will not work without fixup protocol ftp 21, however, passive FTP will function correctly with no fixup protocol ftp configured.

cisco24x7 Thu, 11/20/2008 - 17:23
User Badges:
  • Silver, 250 points or more

ftp and Pix firewall are something that most

people just do not understand how it works,

especially when it involves with NAT.

I had extensive conversation with Cisco TAC on

this and there are a lot of limitations on

Cisco Pix when you turn OFF fixup. That's just

the way it is. If you want a better solution

and FTP, go with Checkpoint firewall.

See the thread below:


This Discussion