ā01-14-2010 01:44 AM - edited ā03-11-2019 09:57 AM
Dear ALL,
I'm going to show to all of you a problem concerning file transfer that involves a Cisco PIX 515E 6.3 (4), an ftp server (SERV-U) and a client side.
Client side is composed of an automatic procedure (in order to download files) running on a Windowx XP and an ISA Server 2000.
Every 5 file transfer, at least 2 fail with this kind of error:
from ftp server side
Error sending file customer-file.txt, aborting (0 bytes/sec - 0 bytes, unable to open data connection)
and from PIX side
%PIX-6-303002: Customer Public IP Retrieved FTP Server Public IP:customer-file.txt
%PIX-4-106023: Deny tcp src inside:FTP Server Private IP/20 dst outside:Customer Public IP /4198 by access-group "acl-outbound"
.........................................but, there is not any acl-outbound denying that kind of traffic
Please, anyone of experienced that kind of trouble?
Regards
Alberto Brivio
ā01-14-2010 11:58 AM
send us the access-list to check that out.
ā01-15-2010 12:22 AM
Hi,
the ACE concerning the problem are:
access-list acl-inbound permit icmp any any first line
access-list acl-inbound permit tcp any host A.B.C.D eq ftp
access-list acl-inbound deny ip any any last line
access-list acl-outbound permit icmp any any first line
access-list acl-outbound permit tcp 192.168.0.0 255.255.255.0 any eq ftp
access-list acl-outbound deny ip any any last line
moreover there is the following line
fixup protocol ftp 21
ā01-15-2010 01:12 AM
Hi Alberto,
Following can be the reasons which has resulted the below issue in pix for ftp communication:-
eny protocol src [interface_name:source_address/source_port]
dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group
acl_ID
Explanation: An IP packet was denied by the ACL. This message displays even if
you do not have the log option enabled for an ACL.
Recommended Action: If messages persist from the same source address, messages
could indicate a foot printing or port scanning attempt. Contact the remote host
administrators.
FTP connection from src_ifc:src_ip/src_port to dst_ifc:dst_ip/dst_port,
user username action file filename
Explanation: This event is generated whenever a client uploads or downloads a
file from the FTP server. src_ifc The interface where the client resides. src_ip The
IP address of the client. src_port The client port. dst_ifc The interface where
the server resides. dst_ip The IP address of the FTP server. dst_port The server
port. username The FTP username. action The stored/retrieved actions. filename The
file stored or retrieved.
Recommended Action: None.
FTP connection from src_ifc:src_ip/src_port to dst_ifc:dst_ip/dst_port,
user username action file filename
Explanation: This event is generated whenever a client uploads or downloads a
file from the FTP server. src_ifcThe interface where the client resides. src_ipThe
IP address of the client. src_port The client port. dst_ifc The interface where
the server resides. dst_ip The IP address of the FTP server. dst_port The server
port. username The FTP username. action The stored/retrieved actions. filename The
file stored or retrieved.
Recommended Action: None.
HTH
Regards
Ganesh.H
ā01-15-2010 06:08 AM
Take a look at these defects: CSCdv33495, CSCsc44193, CSCeg52090 and CSCea77053 in this link: http://tools.cisco.com/Support/BugToolKit
Pls. upgrade to the latest interim in 6.3. train.
-KS
ā01-18-2010 07:56 AM
I'm going to upgrade pix on next days.
Just for info for all people reading thread, removing access-list controlling traffic from inside to outside, problem disappears.
Regards
Alberto Brivio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide