Solved: ftp through two NAT...

Mikhail Chernyakov · ‎01-15-2006

Hello!

I have some trouble with these configuration:

We use 2 firewalls. PIX 515 attached to Internet with NAT (many to one NAT) enabled and MS ISA 2004 connected to PIX and LAN.

Clients that use ISA 2004 as WEB proxy receive following message:

ISA Server: extended error message :

200 Switching to Binary mode.

500 Illegal PORT command.

but client that use ISA as NAT have not any problem...

If i connect ISA directly to Internet (or use Zyxel Prestige with Single User Access instead PIX) the problem disappear.

The problem could be in features of working FTP-protocol?

What i should configure on PIX to resolve problem?

Thank you all!!!

mheusinger · ‎01-15-2006

Hello,

does this happen with clients using active FTP?

In this case try to use passive FTP - depending on the client software there are different ways to configure it on the clients.

Or does this happen in active and passive FTP connections?

Usually a "fixup protocol FTP 21" in the PIX solves the problems, though this should be in the PIX config by default.

Hope this helps! Please rate all posts.

Regards, Martin