Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
329
Views
0
Helpful
1
Replies

Inbound Passive FTP on PIX 7.1(2) Code

dpickinpaugh
Level 1
Level 1

‎04-30-2009 11:24 AM - edited ‎03-11-2019 08:26 AM

I am trying to get Passive FTP working on my PIX.

I have Active FTP, SFTP, HTTPS, and FTPS (both explict and implicit) working.

In order to get directory transfers to work I have to specify the external IP address to present in PASV on my FTP server, so I suspect I may have some kind of NAT issue, but so far have been unable to figure it out.

I am not going to paste my entire config here it's rather large, but I'll paste the relevent lines. Let me know if I missed something critical please.

I have also run fixup protocol ftp ## where ## = port numbers for ftps and ftp.

object-group service Visionshere tcp

port-object range 3500 3500

object-group service ftps tcp

port-object range 989 990

object-group service PASVFTP tcp

port-object range 29000 30000

access-list WEBDMZ extended permit tcp host 172.22.11.179 object-group ftps any

access-list WEBDMZ extended permit tcp host 172.22.11.179 eq ftp any

access-list WEBDMZ extended permit tcp host 172.22.11.179 eq ftp-data any

access-list WEBDMZ extended permit tcp host 172.22.11.179 object-group PASVFTP any

access-list outside_060909 extended permit tcp any host 68.255.113.43 eq ftp

access-list outside_060909 extended permit tcp any host 68.255.113.43 eq ftp-data

access-list outside_060909 extended permit tcp any host 68.255.113.43 eq https

access-list outside_060909 extended permit tcp any host 68.255.113.43 eq ssh

access-list outside_060909 extended permit tcp any host 68.255.113.43 object-group ftps

access-list outside_060909 extended permit tcp any host 68.255.113.43 object-group PASVFTP

static (WEBDMZ,outside) 68.255.113.43 172.22.11.179 netmask 255.255.255.255

!

class-map class_ftp

match port tcp eq ftp-data

class-map class_ftp1

match port tcp eq 990

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ils

inspect netbios

inspect pptp

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

class class_ftp

inspect ftp

class class_ftp1

inspect ftp

service-policy global_policy global

---edit---

I forgot to include the Syslog Message I am getting:

406002: FTP port command different address: 172.22.11.179(68.255.113.43) to 69.214.128.73 on interface WEBDMZ

Labels:
0 Helpful
1 Reply 1

vmoopeung
Level 5
Level 5

‎05-06-2009 06:42 AM

Explanation for your syslog message : A client issued an FTP port command and supplied an address other than the address used in the connection. This error message is indicative of an attempt to avert the site security policy. For example, an attacker might attempt to hijack an FTP session by changing the packet on the way, and putting different source information, instead of the correct source information. The security appliance drops the packet, terminates the connection, and logs the event. The address in parentheses is the address from the port command.

The real problem is the FTP session is being NATed before it reaches the PIX, and the NATing device is *not* NATing the embedded address.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card