Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can not access inside ftp server from outside

my configuration (not working) :

name 10.0.0.204 VMW2KP

access-list inside_access_in permit ip any any

access-list outside_access_in permit ip any any

ip address outside 201.134.44.213 255.255.255.240

ip address inside 10.0.1.211 255.255.0.0

global (outside) 1 201.134.44.212

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 201.134.44.214 ftp VMW2KP ftp netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

ideas ? .... pix have fine connection with internet .... default gateway in the ftp server (VMW2KP) is the pix ....

i do not understand ...

thanks.

4 REPLIES

Re: Can not access inside ftp server from outside

Hello,

FTP uses infact two ports, which are first TCP 21 (=ftp) for a control connection, where a user authenticates himself, lists directories etc.

Second for data transmission you need also TCP 20 (=ftp-data), as the file transfer with active FTP will use this port.

You have to forward both ports to the Server to have a chance to get FTP working.

Hope this helps! Please rate all posts.

Martin

Gold

Re: Can not access inside ftp server from outside

apply the static statement below:

static (inside,outside) tcp 201.134.44.214 20 VMW2KP 20 netmask 255.255.255.255 0 0

clear xlate local VMW2KP

the reason being with active ftp, client initiates the connection with destination port 21, then server will initiate the data channel with source port 20. thus the above static is required.

further, the acl outside_access_in should be restricted after the resolution of the issue. in order to permit this ftp operation:

access-list outside_access_in permit tcp any host <201.134.44.214> eq ftp

alternatively, if the ftp server is running passive ftp, then the inbound acl should be:

access-list outside_access_in permit tcp any host <201.134.44.214> gt 1023

New Member

Re: Can not access inside ftp server from outside

When doing port redirection on a PIX, be sure to add a NAT and Global for the specific inside host so it will match the outside address in your static. I have always needed to do this for inbound traffic to work, even though you don't need it for a regular static. You should add the following:

global (outside) 2 201.134.44.214

nat (inside) 2 10.0.0.204 255.255.255.255 0 0

You may not need the static for the data port if you are running fixup for FTP. I usually do this for redirecting SMTP to a filter and have not tried it for FTP.

Mark

New Member

Re: Can not access inside ftp server from outside

thanks !

mheusinger

cairnsm

jackko

the fix was:

no sysopt noproxyarp outside

111
Views
0
Helpful
4
Replies