Good point havent seen the Subnet mask ...

:-(

example for port forwarding:

Remove old static:

no static (inside,outside) 201.238.69.204 192.168.0.2 netmask 255.255.255.255 0 0

no access-group 100 in interface outside

no access-list 100 permit tcp any host 201.238.69.204 eq ftp

access-list acl_out permit tcp any interface outside eq ftp

access-group acl_out in interface outside

static (inside,outside) tcp interface ftp 192.168.0.2 ftp netmask 255.255.255.255 0 0

clear xlate

sincerely

Patrick

Hi guys,

Thanks for all your help, i got it working the post you gave me. I can actually connect when i you the DOS clien, but I cant connect when i go in via a web browser.. After entering the username/pass, the browser displays "cannot display folder contents".

As I said if i go in through DOS it works. I checked the error on cisco's site and it comes down to the pix being out of memory. Did any of you come across this problem before ? My pix uses abt 12mbs out of 16 mbs of mem. Is this ok ?

Thanks

Don

Try enabling the fixup protocol.

fixup protocol ftp 21

Reference:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1067379

fixup protocol ftp

Use the fixup protocol ftp command to specify the listening port or ports for the File Transfer Protocol (FTP). The following list describes the features and usage of this command:

•The PIX Firewall listens to port 21 for FTP by default.

•Mutliple ports can be specified.

•Only specify the port for the FTP control connection and not the data connection. The PIX Firewall stateful inspection will dynamically prepare the data connection as necessary. For example, the following is incorrect:

INCORRECT

fixup protocol ftp 21

fixup protocol ftp 20

and the following is correct:

CORRECT

fixup protocol ftp 21

•Use caution when moving FTP to a higher port. For example, if you set the FTP port to 2021 by entering fixup protocol ftp 2021 all connections that initiate to port 2021 will have their data payload interpreted as FTP commands.

The following is an example of a fixup protocol ftp command configuration that uses multiple FTP fixups:

:

: For a PIX Firewall with two interfaces

:

ip address outside 192.168.1.1 255.255.255.0

ip address inside 10.1.1.1 255.255.255.0

:

: There is an inside host 10.1.1.15 that will be

: exported as 192.168.1.15. This host runs the FTP

: services at port 21 and 1021

:

static (inside, outside) 192.168.1.15 10.1.1.15

:

: Construct an access list to permit inbound FTP traffic to

: port 21 and 1021

:

access-list outside permit tcp any host 192.168.1.15 eq ftp

access-list outside permit tcp any host 192.168.1.15 eq 1021

access-group outside in interface outside

:

: Specify that traffic to port 21 and 1021 are FTP traffic

:

fixup protocol ftp 21

fixup protocol ftp 1021

If you disable FTP fixups with the no fixup protocol ftp command, outbound users can start connections only in passive mode, and all inbound FTP is disabled.

The strict option in the fixup protocol ftp command performs two seperate functions:

•The strict option prevents web browsers from sending embedded commands in FTP requests. Each FTP command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped.The strict option only lets an FTP server generate the 227 command and only lets an FTP client generate the PORT command. The 227 and PORT commands are checked to ensure they do not appear in an error string.

•The strict option also prevents the PIX from opening up return connections based solely on the information sent in the PORT command. The strict option enables the PIX to make sure a successful reply is sent from the server in addition to the PORT command before opening the connection. If an error is seen, the PORT command is ignored by the PIX and the connection is never established. This keeps the PIX from opening data connections for communication that will never occur.

sincerely

Patrick