Inbound Passive FTP on PIX 7.1(2) Code

Unanswered Question
Apr 30th, 2009
User Badges:

I am trying to get Passive FTP working on my PIX.


I have Active FTP, SFTP, HTTPS, and FTPS (both explict and implicit) working.


In order to get directory transfers to work I have to specify the external IP address to present in PASV on my FTP server, so I suspect I may have some kind of NAT issue, but so far have been unable to figure it out.


I am not going to paste my entire config here it's rather large, but I'll paste the relevent lines. Let me know if I missed something critical please.


I have also run fixup protocol ftp ## where ## = port numbers for ftps and ftp.


object-group service Visionshere tcp

port-object range 3500 3500

object-group service ftps tcp

port-object range 989 990

object-group service PASVFTP tcp

port-object range 29000 30000


access-list WEBDMZ extended permit tcp host 172.22.11.179 object-group ftps any

access-list WEBDMZ extended permit tcp host 172.22.11.179 eq ftp any

access-list WEBDMZ extended permit tcp host 172.22.11.179 eq ftp-data any

access-list WEBDMZ extended permit tcp host 172.22.11.179 object-group PASVFTP any


access-list outside_060909 extended permit tcp any host 68.255.113.43 eq ftp

access-list outside_060909 extended permit tcp any host 68.255.113.43 eq ftp-data

access-list outside_060909 extended permit tcp any host 68.255.113.43 eq https

access-list outside_060909 extended permit tcp any host 68.255.113.43 eq ssh

access-list outside_060909 extended permit tcp any host 68.255.113.43 object-group ftps

access-list outside_060909 extended permit tcp any host 68.255.113.43 object-group PASVFTP


static (WEBDMZ,outside) 68.255.113.43 172.22.11.179 netmask 255.255.255.255


!

class-map class_ftp

match port tcp eq ftp-data

class-map class_ftp1

match port tcp eq 990


policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ils

inspect netbios

inspect pptp

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class class_ftp

inspect ftp

class class_ftp1

inspect ftp


service-policy global_policy global


---edit---

I forgot to include the Syslog Message I am getting:


406002: FTP port command different address: 172.22.11.179(68.255.113.43) to 69.214.128.73 on interface WEBDMZ

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vmoopeung Wed, 05/06/2009 - 06:42
User Badges:
  • Bronze, 100 points or more

Explanation for your syslog message : A client issued an FTP port command and supplied an address other than the address used in the connection. This error message is indicative of an attempt to avert the site security policy. For example, an attacker might attempt to hijack an FTP session by changing the packet on the way, and putting different source information, instead of the correct source information. The security appliance drops the packet, terminates the connection, and logs the event. The address in parentheses is the address from the port command.


The real problem is the FTP session is being NATed before it reaches the PIX, and the NATing device is *not* NATing the embedded address.


Actions

This Discussion