×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

outgoing FTP problem

Unanswered Question
Nov 16th, 2005
User Badges:

Can somebody help me why my outgoing ftp connection doesn't work. below is my pix firewall config:


PIX# show runn

: Saved

:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password

passwd

hostname PIXxxx

domain-name xxxx.xxx

no fixup protocol dns

fixup protocol ftp strict 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inbound permit tcp any any eq ftp-data

access-list inbound permit tcp any any eq ftp

access-list inbound permit tcp any any eq ssh

access-list inbound permit tcp any any eq smtp

access-list inbound permit tcp any any eq telnet

access-list inbound permit tcp any any eq domain

access-list inbound permit tcp any any eq www

access-list inbound permit tcp any any eq 8080

access-list inbound permit esp any any

access-list inbound permit ah any any

access-list inbound permit gre any any

access-list inbound permit icmp any host x.x.x.x

access-list inbound permit udp any any eq 1701

access-list inbound permit icmp any host x.x.x.x

access-list inbound permit icmp any any

access-list inbound permit tcp any any eq 3389

access-list inbound permit tcp any any eq 8000

access-list outbound permit tcp any any eq ftp

access-list outbound permit tcp any any eq ftp-data

access-list outbound permit tcp any any eq 8080

access-list outbound permit udp any any eq 10000

access-list outbound permit udp any any eq 4500

access-list outbound permit udp any any eq isakmp

access-list outbound permit tcp any any eq 8000

access-list outbound permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x x.x.x.x

ip address inside x.x.x.x 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) x.x.x.x a.a.a.a netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.x a.a.a.a netmask 255.255.255.255 0 0

access-group inbound in interface outside

access-group outbound in interface inside

router ospf 32

network x.x.x.x 255.255.255.0 area 1

log-adj-changes

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

snmp-server location xxx

snmp-server contact xx

snmp-server community xxxx

no snmp-server enable traps

floodguard enable

service resetinbound

service resetoutside

telnet x.x.x.x 255.255.255.0 inside

telnet x.x.x.x 255.255.255.0 inside

telnet timeout 15

ssh x.x.x.x x.x.x.x outside

ssh timeout 60

console timeout 0

terminal width 80

Cryptochecksum:xxxx

: end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
alcher Thu, 11/17/2005 - 02:05
User Badges:

I remove the "strict" at fix protocol ftp, but no positive out. my outgoing ftp still not working.

by the way, I do use this wise-ftp and cuteftp as my ftp client.

alcher Thu, 11/17/2005 - 02:17
User Badges:

below is the sample output from cuteftp:


--------------------------


STATUS:> Getting listing "/pub/redhat/linux"...

STATUS:> Resolving host name ftp.redhat.com...

STATUS:> Host name ftp.redhat.com resolved: ip = 209.132.176.30.

STATUS:> Connecting to ftp server ftp.redhat.com:21 (ip = 209.132.176.30)...

STATUS:> Socket connected. Waiting for welcome message...

220 Red Hat FTP server ready. All transfers are logged. (FTP) [no EPSV]

STATUS:> Connected. Authenticating...

COMMAND:> USER anonymous

331 Please specify the password.

COMMAND:> PASS *****

230 Login successful.

STATUS:> Login successful.

COMMAND:> PWD

257 "/"

STATUS:> Home directory: /

COMMAND:> FEAT

211-Features:

EPRT

EPSV

MDTM

PASV

REST STREAM

SIZE

TVFS

211 End

STATUS:> This site supports features.

STATUS:> This site supports SIZE.

STATUS:> This site can resume broken downloads.

COMMAND:> REST 0

350 Restart position accepted (0).

COMMAND:> CWD /pub/redhat/linux

250 Directory successfully changed.

STATUS:> PWD skipped. Current dir: "/pub/redhat/linux".

COMMAND:> PASV

227 Entering Passive Mode (209,132,176,30,48,71)

COMMAND:> LIST

STATUS:> Connecting ftp data socket 209.132.176.30:12359...

ERROR:> Can't connect to remote server. Socket error = #10060.

425 Failed to establish connection.

421 Timeout.

em6557 Tue, 12/13/2005 - 17:30
User Badges:

Add this entry on your access list


access-list outbound permit tcp any any gt 1024


This should solve the problem connecting to passive ftp servers.

Actions

This Discussion