Cisco Support Community
Community Member

CSS & Pix problem with FTP


I am testing a CSS 11501 which I have added to my network behind a pix 515 firewall. Using static commands, the pix sends www traffic to one

server and ftp to another. Now that I have introduced the CSS, the pix sends the packets to VIP addresses on the CSS, which in turn sends them

to the intended server, or a sorry server in the evnt of a failure.

The www side is working very well, but I am having trouble with ftp. I am able to connect to the ftp server, but when I try to transfer files from a web application, the pix is dropping the packets and throws error # 406002 (FTP port command different address on interface inside). Here is a snip from the pix log:

305011: Built static TCP translation from inside: to outside:

302013: Built inbound TCP connection 74 for outside: ( to inside: (

406002: FTP port command different address: to on interface inside

302014: Teardown TCP connection 74 for outside: to inside: duration 0:00:01 bytes 269 Deny

106015: Deny TCP (no connection) from to flags PSH ACK on interface outside

... = Client initiating FTP conn. and transfer = VIP of ftp service on CSS = FTP server

I am pertty new to all of this stuff, but if I read this correctly, the pix does not like the fact that the packets from the FTP server appear

to be coming from another address, which is in this case the VIP address of the ftp service on the CSS. I honestly don'y know if I need to

change the config on the pix or the css...or both for that matter.

Any help is appreciated.


Community Member

Re: CSS & Pix problem with FTP

This can happen if the NAT engine that the client is going thru is not NATing the ip add in the data payload as it should and therefore when the client pushes the PORT command, the ip address in data payload does not match what PIX has stored for this Fixup FTP connection and then denies the data connection from this FTP client.

CreatePlease to create content