Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1372
Views
9
Helpful
2
Replies

Passive FTP not working (with no fixup protocol ftp 21) on PIX 6.3

happy12345
Level 1
Level 1

‎11-14-2008 07:14 PM - edited ‎03-11-2019 07:13 AM

I have disabled fixup ftp on the PIX 6.3 using "no fixup protocol ftp 21".

C:\>ftp 1.1.1.1

Connected to 1.1.1.1.

220 "Unauthorized access is prohibited!"

User (1.1.1.1:(none)): 12345

331 Please specify the password.

Password:

230 Login successful.

ftp> quote pasv

227 Entering Passive Mode (1,1,1,1,239,188)

ftp> ls -la

200 PORT command successful. Consider using PASV.

425 Failed to establish connection.

ftp>

Nov 15 10:49:07 2.2.2.2/2.2.2.2 %PIX-4-106023: Deny tcp src sout:1.1.1.1/35194 dst

stfin:3.3.3.3/3746 by access-group "outacl"

Nov 15 10:49:07 2.2.2.2/2.2.2.2 %PIX-4-106023: Deny tcp src sout:1.1.1.1/35194 dst

stfin:3.3.3.3/3746 by access-group "outacl"

Nov 15 10:49:10 2.2.2.2/2.2.2.2 %PIX-4-106023: Deny tcp src sout:1.1.1.1/35194 dst

stfin:3.3.3.3/3746 by access-group "outacl"

The FTP server 1.1.1.1 is at the outside leg of the PIX. The FTP client (3.3.3.3) is on the inside leg of the PIX. When the PIX is reverted back with "fixup protocol ftp 21", everything work. It seem that the "no fixup protocol ftp 21" actually break the FTP. My understanding is that "no fixup protocol ftp 21" is only applicable if you are using active FTP (where FTP server is at outside of the network and need the PIX to do deep packet inspection on FTP to permit the FTP's server data port TCP 20 to initiate back to the inside FTP client). For my case, the FTP client is inside and using passive FTP, thus all the connection (command and data) should be initiated from the client. By right, there should be no issue. However, the "no fixup protocol ftp 21" break the passive FTP from the client.

Please advise and thanks.

Labels:
0 Helpful
2 Replies 2

hadbou
Level 5
Level 5

‎11-20-2008 02:27 PM

The command fixup protocol ftp 21 is the default setting of this feature, and is enabled by default on the Cisco Secure PIX Firewall.This workaround will force your clients to use FTP in passive mode, and inbound FTP service will not be supported. Outbound standard FTP will not work without fixup protocol ftp 21, however, passive FTP will function correctly with no fixup protocol ftp configured.

0 Helpful

cisco24x7
Level 6
Level 6
In response to hadbou

‎11-20-2008 05:23 PM

ftp and Pix firewall are something that most

people just do not understand how it works,

especially when it involves with NAT.

I had extensive conversation with Cisco TAC on

this and there are a lot of limitations on

Cisco Pix when you turn OFF fixup. That's just

the way it is. If you want a better solution

and FTP, go with Checkpoint firewall.

See the thread below:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cc17608/38#selected_message

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card