Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
339
Views
0
Helpful
4
Replies

Can not access inside ftp server from outside

saidap
Level 1
Level 1

‎01-11-2006 12:38 PM - edited ‎03-09-2019 01:35 PM

my configuration (not working) :

name 10.0.0.204 VMW2KP

access-list inside_access_in permit ip any any

access-list outside_access_in permit ip any any

ip address outside 201.134.44.213 255.255.255.240

ip address inside 10.0.1.211 255.255.0.0

global (outside) 1 201.134.44.212

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 201.134.44.214 ftp VMW2KP ftp netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

ideas ? .... pix have fine connection with internet .... default gateway in the ftp server (VMW2KP) is the pix ....

i do not understand ...

thanks.

Labels:
0 Helpful
4 Replies 4

mheusinger
Level 10
Level 10

‎01-11-2006 03:51 PM

Hello,

FTP uses infact two ports, which are first TCP 21 (=ftp) for a control connection, where a user authenticates himself, lists directories etc.

Second for data transmission you need also TCP 20 (=ftp-data), as the file transfer with active FTP will use this port.

You have to forward both ports to the Server to have a chance to get FTP working.

Hope this helps! Please rate all posts.

Martin

0 Helpful

jackko
Level 7
Level 7

‎01-12-2006 03:48 AM

apply the static statement below:

static (inside,outside) tcp 201.134.44.214 20 VMW2KP 20 netmask 255.255.255.255 0 0

clear xlate local VMW2KP

the reason being with active ftp, client initiates the connection with destination port 21, then server will initiate the data channel with source port 20. thus the above static is required.

further, the acl outside_access_in should be restricted after the resolution of the issue. in order to permit this ftp operation:

access-list outside_access_in permit tcp any host <201.134.44.214> eq ftp

alternatively, if the ftp server is running passive ftp, then the inbound acl should be:

access-list outside_access_in permit tcp any host <201.134.44.214> gt 1023

0 Helpful

cairnsm
Level 1
Level 1

‎01-12-2006 10:38 AM

When doing port redirection on a PIX, be sure to add a NAT and Global for the specific inside host so it will match the outside address in your static. I have always needed to do this for inbound traffic to work, even though you don't need it for a regular static. You should add the following:

global (outside) 2 201.134.44.214

nat (inside) 2 10.0.0.204 255.255.255.255 0 0

You may not need the static for the data port if you are running fixup for FTP. I usually do this for redirecting SMTP to a filter and have not tried it for FTP.

Mark

0 Helpful

saidap
Level 1
Level 1

‎01-17-2006 03:23 PM

thanks !

mheusinger

cairnsm

jackko

the fix was:

no sysopt noproxyarp outside

0 Helpful
Customers Also Viewed These Support Documents