FTP_Server---(i)--Pix---(o)----FTP_client

FTP_Server= 192.168.1.10/24

Pix inside= 192.168.1.1/24

Pix outside= 1.1.1.1/24

FTP_client= 1.1.1.2/4

FTP_client has default gateway point to 1.1.1.1 which

is the Pix outside interface.

Let say that you're NOT doing any NAT on the Pix, just

simply route through the Pix:

no nat-control

Requirements:

Allow only Passive FTP through the firewall.

In this situation, it definitely works with this configuration:

no fixup protocol ftp 21

access-list External permit tcp any host 192.168.1.10 eq 21 log

access-list External permit tcp any host 192.168.1.10 gt 1024 log

access-list Internal deny tcp host 192.168.1.10 eq 20 any log

access-list Internal permit ip any any log

access-group External in interface outside

access-group Internal in interface inside

When you disable NAT on the Pix and just route through the Pix,

you can control the Active/Passive FTP through the firewall.

However, as soon as you enable "fixup protocol ftp 21", you will

will not be able to control Active/Passive FTP. As a matter

of fact, when you have NAT enable, if you disable fixup, FTP will

fail to work altogether.

Is that clear?

> In this situation, it definitely works with

> this configuration:

>

> no fixup protocol ftp 21

[...]

Of course, you are disabling the fixup but are manually poling holes in the access lists. This is for sure a valid workaround but is not secure because now the FTP server is not protected on ports > 1024.

> When you disable NAT on the Pix and just

> route through the Pix,

> you can control the Active/Passive FTP

> through the firewall.

I assert that you can do this with NAT enabled. The key is disabling the FTP fixup and manually poking holes in the firewall.

> However, as soon as you enable

> "fixup protocol ftp 21", you will

> will not be able to control

> Active/Passive FTP.

Correct, because then the fixup will automatically create the necessary connection, therefore bypassing any access list entries one may have created to control active/passive FTP.

> As a matter

> of fact, when you have NAT enable, if you

> disable fixup, FTP willfail to work

> altogether.

This is the part where I still don't follow - when you have NAT enabled or when you have NAT disabled, FTP will fail to work when you disable the fixup. You need the fixup for FTP to work, with NAT or no NAT, if you don't want to manually poke holes in the access lists. Why do you say that NAT has an influence on whether the fixup works?

Using the same question you posed to me earlier - did you test that disabling/enabling NAT has any effect on whether you can control Active/Passive FTP through the firewall, or it is just an educated guess? ;-)

Cheers,

Eloy Paris.-

>I assert that you can do this with NAT enabled. The key is disabling the FTP fixup and manually poking holes in the firewall.

This is NOT true. You do not have to take

my words for it. Just ask your colleagues

at Cisco Systems and they can explain it

to you better than I can.

>This is the part where I still don't follow - "when you have NAT enabled or when you have NAT disabled, FTP will fail to work when you disable the fixup. You need the fixup for FTP to work, with NAT or no NAT, if you don't want to manually poke holes in the access lists. Why do you say that NAT has an influence on whether the fixup works?

Using the same question you posed to me earlier - did you test that disabling/enabling NAT has any effect on whether you can control Active/Passive FTP through the firewall, or it is just an educated guess? ;-)"

I don't tell people things that I've not tried

and tested it myself. In other words, I

tested this myself and that's what I observed.

If you ask Cisco TAC, they will tell you the

same thing I am telling you.

> If you ask Cisco TAC, they will

> tell you the same thing I am telling you.

Just tell me what configuration is the one you are positive doesn't work when NAT is enabled and I'll test or ask. Is it the one you posted in a previous message, the one where you had "no nat-control"? If that is the case then what you are positive would not work is adding "nat-control" and the corresponding static for the FTP server but keeping the fixup disabled and the access lists as you had them, is that correct?

I'll actually post the config here to make sure we're on the same page:

nat-control

static (inside,outside) 1.1.1.3 192.168.1.10

no fixup protocol ftp 21

access-list External permit tcp any host 192.168.1.10 eq 21 log

access-list External permit tcp any host 192.168.1.10 gt 1024 log

access-list Internal deny tcp host 192.168.1.10 eq 20 any log

access-list Internal permit ip any any log

access-group External in interface outside

access-group Internal in interface inside

Is this the configuration you tested and found that doesn't work?

Thanks.

That's my configuration and that ACL is much

wide open than yours and it still does not work:

access-list External extended permit icmp any any log

access-list External extended permit tcp any any eq ftp log

access-list External extended permit ip any any log

[Expert@P1-NGx]# ftp 1.1.1.1

Connected to 1.1.1.1 (1.1.1.1).

220 (vsFTPd 1.2.0)

Name (1.1.1.1:root): admin

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> bin

200 Switching to Binary mode.

ftp> prompt

Interactive mode off.

ftp> hash

Hash mark printing on (1024 bytes/hash mark).

ftp> passive

Passive mode on.

ftp> ls

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

In other words, both Active/Passive FTP does

not work.

This is a KNOWN issue with Cisco Pix/ASA

firewalls. I am suprised you don't know this,

and I work for Checkpoint -:). Funny!!!!

Thanks cisco24x7, I'll give this a try.

Did that FTP session to 1.1.1.1 in the above post work, i.e. did the directory listing actually come? If so, did you get it to work because you put "no nat-control" in place?

> This is a KNOWN issue with Cisco

> Pix/ASA firewalls.

"Known" as in there is a Cisco bug ID for this, or just as in "everybody but eloy paris knows and lives with it"?

> I am suprised you don't know this,

> and I work for Checkpoint -:). Funny!!!!

Well, what can I say, one can't know everything ;-)

Seriously, though, I used to be in the RTP TAC in the security team. It's been almost three years since I left to do something else at Cisco. Never heard of this problem, and what you describe goes against what I know about the product, which is why I am so curious and eager to get to the bottom of this. Not saying I don't believe you, just that I am surprised the product behaves like that.

Cheers!

"no nat-control" just turn the Pix into the

router, that's all. No more, no less. Back

in the 6.3.x version, in order to go from

high to low, you have to explicitly

define "static (i,o) 192.168.1.0 192.168.1.0 netmask 255.255.255.0". In version 7.x, that

is not needed.

If you disable NAT and have "no fixup", you

can control Active/Passive FTP through the

firewall. However, the minute you enable

"fixup ftp", you will lose that control.

If you have NAT and that you have "no fixup

ftp", both Active and Passive FTP will not

work across the firewall. By NAT, I mean

this:

static (i,o) 1.1.1.10 192.168.1.10 net /32

I don't know how to make it any clearer.

You're not the first CCIE from Cisco who

were confused by this. I got the same

response from 3 different CCIE SE from Cisco.

When I asked them about this, they had

no idea what I am talking about. When

I showed them what I've observed, their

response was "interesting".

David,

Could you get in touch with me via my Cisco email address: elparis@cisco.com?

I've set this up in a lab and would like to share the results with you. We could do it here but I feel it's better to sort things out in private email and then summarize the findings for the benefit of other forum members since the discussion here in the forum is getting long, and personally I'd like to avoid hijacking Brian's thread any longer.

Thanks,

Eloy Paris.-

"Did that FTP session to 1.1.1.1 in the above post work, i.e. did the directory listing actually come? If so, did you get it to work because you put "no nat-control" in place? "

Did it work with Cisco Pix? NO.

Did it work with Checkpoint firewall? Yes

Hi... thanks for all of the replies, but I feel like my question has been taken over. Could anyone please dumb this conversation down for my issue and explain to me in plain english whether or not I'm going to be able to get active and passive working at the same time. It's still broken... please take a moment to help me.

You are absolutely right; we hijacked your thread. My apologies for that.

Please send the current config and tell us the private and public IP addresses of the FTP server and we'll take a look.

Cheers,

Eloy Paris.-

I'm confused then. Why don't you think I'm having any luck with Passive if I've configured ports on the software and firewall for that purpose.

We may end up placing the FTP server in a DMZ and open up incoming 1024+. What do you think of that idea? Is that a terribly unsecure idea?

Did you remove the static command I mentioned yesterday didn't look right since it was using as the global IP the same IP of the outside interface?

What is the private (inside) and public (outside) IP of the FTP server?

I didn't see anything wrong other than the static but can you post your configuration again?

I think the issue with that was due to my changing all of the different external ip's to the same number... I'll post my config again when I have it. Thanks!