I am running 2.3(4) code on my FWSM, fixup ftp is enabled. I want to be able to allow any and all host out bound to the internet for ftp active and passive ftp.

I permited the a subnet of systems to be able to ftp out but when the passive session occurs it fails, any ideas. here is the the acl and the object group below.

object-group service INET-ACCESS-UDP udp

port-object eq ntp

port-object eq www

port-object eq 4043

port-object eq 5700

port-object eq 7896

port-object range 1024 65535

port-object eq 21

port-object range 1023 65535

access-list INSIDE extended permit udp 10.241.136.0 255.255.255.0 any object-group INET-ACCESS-UDP

Ok, there's the issue. FTP is actually TCP, so if you add a rule allowing tcp any any eq ftp you should be ok.

-Eric

Please remember to rate all helpful posts.

So I can add the following

access-list extended INSIDE permit tcp 10.241.136.0 255.255.255.0 eq ftp any?

Exactly. give it a shot and let us know.

-Eric

Eric,

No luck, I tried to ftp to a site and that works but when I try to perform any command like get, dir or ls I receive a message that says the command is not allowed and the sessions dies.

Gerry

hi guys,

I think there is a mistake in the access-list

access-list extended INSIDE permit tcp 10.241.136.0 255.255.255.0 eq ftp any?

it should be:

access-list extended INSIDE permit tcp 10.241.136.0 255.255.255.0 any eq ftp?

very easy to overlook, must admit :)

it will then work I am sure, if ftp inspection is configured it will create a dynamic opening in this inbound access list for the data channel from the client to server (in PFTP)

Let us know if it works

Rafal is exactly correct. Sorry I overlooked that mixup yesterday.

- Eric

Sorry but when I enterd the acl in the forum I actualy have it correct in the fwsm and it still does not work

access-list INSIDE extended permit tcp 10.241.136.0 255.255.255.0 any eq ftp

any ideas?

Gerry

Here is the INSIDE ACL

access-list INSIDE extended permit icmp any any object-group ICMP

access-list INSIDE extended permit ip object-group BACKEND-ACCESS-TO-PUB object-group PUB-SEGMENT

access-list INSIDE extended permit tcp 10.0.0.0 255.0.0.0 object-group SMTP-BRIDGEHEADS eq smtp

access-list INSIDE extended permit tcp 10.0.0.0 255.0.0.0 object-group PUB-DNS-FORWARD eq domain

access-list INSIDE extended permit udp 10.0.0.0 255.0.0.0 object-group PUB-DNS-FORWARD eq domain

access-list INSIDE extended permit tcp 10.0.0.0 255.0.0.0 10.0.32.0 255.255.252.0 object-group WEB-SERVICES

access-list INSIDE extended permit udp 10.0.0.0 255.255.0.0 10.0.13.0 255.255.255.0 eq tftp

access-list INSIDE extended permit udp 10.0.0.0 255.255.0.0 139.61.142.0 255.255.255.0 eq tftp

access-list INSIDE extended permit udp 10.0.0.0 255.255.0.0 10.0.13.0 255.255.255.0 eq snmptrap

access-list INSIDE extended permit udp 10.0.0.0 255.255.0.0 10.0.13.0 255.255.255.0 eq syslog

access-list INSIDE extended permit tcp object-group VPN-SEGMENT 10.0.13.0 255.255.255.0 eq telnet

access-list INSIDE extended permit tcp object-group VPN-SEGMENT 10.0.13.0 255.255.255.0 eq ssh

access-list INSIDE extended permit tcp object-group VPN-SEGMENT 10.0.36.0 255.255.252.0 eq 3389

access-list INSIDE extended permit tcp 10.0.40.0 255.255.255.0 10.0.36.0 255.255.252.0 object-group SAN-IN

access-list INSIDE extended permit tcp 10.0.20.0 255.255.252.0 any eq 4043

access-list INSIDE extended permit tcp 10.0.0.0 255.0.0.0 10.0.38.0 255.255.255.0 eq smtp

access-list INSIDE extended permit udp 10.0.22.0 255.255.255.0 139.61.142.0 255.255.255.0 eq snmptrap

access-list INSIDE extended permit tcp 10.0.0.0 255.0.0.0 object-group AUTH-SERVERS eq tacacs

access-list INSIDE extended permit udp 10.0.0.0 255.0.0.0 any object-group INET-ACCESS-UDP

access-list INSIDE extended permit tcp 10.0.0.0 255.0.0.0 any object-group INET-ACCESS

access-list INSIDE extended permit ip 10.1.0.0 255.255.0.0 any

access-list INSIDE extended permit tcp any 10.0.50.0 255.255.255.0 object-group ACCESS-TO-SECDMZ

access-list INSIDE extended permit tcp host 10.0.21.26 any

access-list INSIDE extended permit tcp any 10.0.40.0 255.255.255.0 object-group INET-ACCESS

access-list INSIDE extended permit udp 10.245.0.0 255.255.0.0 139.61.142.0 255.255.255.0 eq tftp

access-list INSIDE extended permit tcp 10.241.136.0 255.255.255.0 any eq ftp

To me everything is OK. what symptomps are you getting exactly? in one of the posts you said that you can connect but the commands are denied. That looks more like a server problem. if there was a problem with the firewall, you would be able to connect and execute the commands but you would not see the results if the data connection could not be established. For PFTP you would not even need fixup were it not for the INSIDE access list as both control and data connections are initiated by the client from the inside. (you could event take it off for a while to test it.

Is ftp fixup definately configured on the default port 21?

This is the message I receive when trying to ftp to ftp.cisco.com

550 Permission denied: PORT not allowed here

150 Opening ASCII mode data connection for file list

Gerry

something is very strange here

1. the server tells you that you are not allowed to use the PORT command, which you would not use in the passive mode anyway.

2. why wouldn't you be able to use LIST command in the public folder of ciso.ftp? No idea

3. as you can see the data connection is established. you can definately say that your firewall works fine is NOT a problem

It seems that for some reason you actually switch to active mode which uses PORT command to tell the server where to establish data connection to. I tried switching to active mode while connected and get the same error.

Make sure you are using PFTP and not trying to execute PORT command which cisco.ftp does not like :)

Rafal

When I try to ftp I just try executing ls, get or dir and I receive the message I sent you.