Re: Allowing only Passive FTP through the Pix 7.x firewall
Your problem is that in order for the pix to nat the port OR passive command, the inspect/fixup for ftp has to be on.
From your output:
227 Entering Passive Mode (10,102,160,20,4,222)
the first 4 numbers there are the IP address it sees for the port command. As you can see, it's the 10.x address, not the nat address needed to the communication can work.
So turning on the inpect/fixup fixes that issue. However, once the fixup is on, active ftp is allowed as well. The only way to block active ftp from the server would be to deny it's ability to initiate connections to anything greater than or equal to port 1024 (which seems to be what you've done in your DMZ access-list, though you may want to make it from all ports rather than just a source port of 20 to be absolutely certain, and change it to be gt 1023).
Please rate this message if it helps solve some or all of your issue/question
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...