FTP troubles

albertobrivio42 · ‎01-14-2010

Dear ALL,

I'm going to show to all of you a problem concerning file transfer that involves a Cisco PIX 515E 6.3 (4), an ftp server (SERV-U) and a client side.

Client side is composed of an automatic procedure (in order to download files) running on a Windowx XP and an ISA Server 2000.

Every 5 file transfer, at least 2 fail with this kind of error:

from ftp server side

Error sending file customer-file.txt, aborting (0 bytes/sec - 0 bytes, unable to open data connection)

and from PIX side

%PIX-6-303002: Customer Public IP Retrieved FTP Server Public IP:customer-file.txt
%PIX-4-106023: Deny tcp src inside:FTP Server Private IP/20 dst outside:Customer Public IP /4198 by access-group "acl-outbound"

.........................................but, there is not any acl-outbound denying that kind of traffic

Please, anyone of experienced that kind of trouble?

Regards

Alberto Brivio

Diego Armando Cambronero Arias · ‎01-14-2010

send us the access-list to check that out.

albertobrivio42 · ‎01-15-2010

Hi,

the ACE concerning the problem are:

access-list acl-inbound permit icmp any any first line
access-list acl-inbound permit tcp any host A.B.C.D eq ftp
access-list acl-inbound deny ip any any last line

access-list acl-outbound permit icmp any any first line
access-list acl-outbound permit tcp 192.168.0.0 255.255.255.0 any eq ftp
access-list acl-outbound deny ip any any last line

moreover there is the following line

fixup protocol ftp 21

Ganesh Hariharan · ‎01-15-2010

Hi Alberto,

Following can be the reasons which has resulted the below issue in pix for ftp communication:-

eny protocol src [interface_name:source_address/source_port]
dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group
acl_ID

Explanation: An IP packet was denied by the ACL. This message displays even if
you do not have the log option enabled for an ACL.

Recommended Action: If messages persist from the same source address, messages
could indicate a foot printing or port scanning attempt. Contact the remote host
administrators.

FTP connection from src_ifc:src_ip/src_port to  dst_ifc:dst_ip/dst_port,
user username action file filename

Explanation: This event is generated whenever a client uploads or downloads a
file from the FTP  server. src_ifc The interface where the client resides. src_ip The
IP address of the client. src_port The client port. dst_ifc The interface where
the server resides. dst_ip The IP address of the FTP server. dst_port The server
port. username The FTP username. action The stored/retrieved actions. filename The
file stored or retrieved.

Recommended Action: None.

FTP connection from src_ifc:src_ip/src_port to dst_ifc:dst_ip/dst_port,
user username action file filename

Explanation: This event is generated whenever a client uploads or downloads a
file from the FTP  server. src_ifcThe interface where the client resides. src_ipThe
IP address of the client. src_port The client port. dst_ifc The interface where
the server resides. dst_ip The IP address of the FTP server. dst_port The server
port. username The FTP username. action The stored/retrieved actions. filename The
file stored or retrieved.

Recommended Action: None.

HTH

Regards
Ganesh.H

Kureli Sankar · ‎01-15-2010

Take a look at these defects: CSCdv33495, CSCsc44193, CSCeg52090 and CSCea77053 in this link: http://tools.cisco.com/Support/BugToolKit

Pls. upgrade to the latest interim in 6.3. train.

-KS

albertobrivio42 · ‎01-18-2010

I'm going to upgrade pix on next days.

Just for info for all people reading thread, removing access-list controlling traffic from inside to outside, problem disappears.

Regards

Alberto Brivio