ftp server - passive mode with static ports

Unanswered Question


This is my second post regarding the same topic. I am working with the Cisco engineer on this case but we're still playing phone tag. So, I just want to post my config to everyone for review.


A serv-u ftp server behind the pix firewall on subnet 192.168.1.x. The ftp server IP is The serv-u ftp server is set to do passive-mode on the range of ports from 60000 to 60040. I want to config the pix to handle all things pretain to the ftp.

Here's my configuration with a few modifications for security.

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100


domain-name MYDOMAIN.COM

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


object-group service passive_mode tcp

port-object range 60000 60040

access-list inside_access_in permit ip any

access-list FTPonly permit tcp any host eq ftp

access-list FTPonly permit tcp any host eq 8200

access-list FTPonly permit tcp any host eq 8016

access-list FTPonly permit tcp any host eq 10019

access-list FTPonly permit tcp any interface outside object-group passive_mode

access-list vpn_access permit ip

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 222.x.x.x.x.255.224

ip address inside

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool vpn_pool

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list vpn_access

nat (inside) 1 0 0

static (inside,outside) tcp ftp ftp netmask 255.25

5.255.255 0 0

static (inside,outside) tcp 8200 8200 netmask 255.

255.255.255 0 0

static (inside,outside) tcp 8016 8016 netmask 255.

255.255.255 0 0

static (inside,outside) tcp 10019 10019 netmask 25 0 0

static (inside,outside) tcp 60000 60000 netmask 25 0 0

static (inside,outside) tcp 60001 60001 netmask 25 0 0

static (inside,outside) tcp 60002 60002 netmask 25 0 0

static (inside,outside) tcp 60003 60003 netmask 25 0 0

static (inside,outside) tcp 60004 60004 netmask 25 0 0

static (inside,outside) tcp 60005 60005 netmask 25 0 0

static (inside,outside) tcp 60006 60006 netmask 25 0 0

static (inside,outside) tcp 60007 60007 netmask 25 0 0

.....up to 60040

access-group FTPonly in interface outside

access-group inside_access_in in interface inside

route outside 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Patrick Laidlaw Mon, 01/23/2006 - 16:50
User Badges:
  • Gold, 750 points or more


So is there a specific problem you have and want answered or are you trying to just verify that your configuration is correct?

Fist glance I see that you have your statics setup for each of the ports. You have your access-list in place for your ports. So that portion looks correct.



When the pix is in used, the internal users behind the firewall could not ping addresses on the outside. I had to add the following entry

access-list outside_access_in permit ip any any

access-group outside_access_in in interface outside

But, I have another problem. The the pix is used for internet access on the network with 20+ computers, the pix goes down. When I tested with a few computers connecting to the internet, the pix works fine. It seems the flow of traffic between eth0 and eth1 is not smooth.

OR is it that the pix might be defective.



Patrick Laidlaw Tue, 01/24/2006 - 13:32
User Badges:
  • Gold, 750 points or more


A couple of years ago there was a hardware issue in a group of pixes which would make them freeze up as soon as they started getting any kind of real load. I can't find the url that allowed you to put the serial number in to see if your pix was possibly affected by this.

Before calling it a faulty pix I would upgrade to the latest Pix version either 6.3.5 or 7.0.4 depending on how much flash/memory you have.

For your ping issue's you can permit just icmp in. Also depending on which version your running you can just use the icmp command.

Option A

access-list outside_access_in permit icmp any any

access-group outside_access_in in interface outside

Option B

icmp permit any any outside


Hope this helps.


This Discussion