04-30-2009 11:24 AM - edited 03-11-2019 08:26 AM
I am trying to get Passive FTP working on my PIX.
I have Active FTP, SFTP, HTTPS, and FTPS (both explict and implicit) working.
In order to get directory transfers to work I have to specify the external IP address to present in PASV on my FTP server, so I suspect I may have some kind of NAT issue, but so far have been unable to figure it out.
I am not going to paste my entire config here it's rather large, but I'll paste the relevent lines. Let me know if I missed something critical please.
I have also run fixup protocol ftp ## where ## = port numbers for ftps and ftp.
object-group service Visionshere tcp
port-object range 3500 3500
object-group service ftps tcp
port-object range 989 990
object-group service PASVFTP tcp
port-object range 29000 30000
access-list WEBDMZ extended permit tcp host 172.22.11.179 object-group ftps any
access-list WEBDMZ extended permit tcp host 172.22.11.179 eq ftp any
access-list WEBDMZ extended permit tcp host 172.22.11.179 eq ftp-data any
access-list WEBDMZ extended permit tcp host 172.22.11.179 object-group PASVFTP any
access-list outside_060909 extended permit tcp any host 68.255.113.43 eq ftp
access-list outside_060909 extended permit tcp any host 68.255.113.43 eq ftp-data
access-list outside_060909 extended permit tcp any host 68.255.113.43 eq https
access-list outside_060909 extended permit tcp any host 68.255.113.43 eq ssh
access-list outside_060909 extended permit tcp any host 68.255.113.43 object-group ftps
access-list outside_060909 extended permit tcp any host 68.255.113.43 object-group PASVFTP
static (WEBDMZ,outside) 68.255.113.43 172.22.11.179 netmask 255.255.255.255
!
class-map class_ftp
match port tcp eq ftp-data
class-map class_ftp1
match port tcp eq 990
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ils
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class_ftp
inspect ftp
class class_ftp1
inspect ftp
service-policy global_policy global
---edit---
I forgot to include the Syslog Message I am getting:
406002: FTP port command different address: 172.22.11.179(68.255.113.43) to 69.214.128.73 on interface WEBDMZ
05-06-2009 06:42 AM
Explanation for your syslog message : A client issued an FTP port command and supplied an address other than the address used in the connection. This error message is indicative of an attempt to avert the site security policy. For example, an attacker might attempt to hijack an FTP session by changing the packet on the way, and putting different source information, instead of the correct source information. The security appliance drops the packet, terminates the connection, and logs the event. The address in parentheses is the address from the port command.
The real problem is the FTP session is being NATed before it reaches the PIX, and the NATing device is *not* NATing the embedded address.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: