01-11-2006 12:38 PM - edited 03-09-2019 01:35 PM
my configuration (not working) :
name 10.0.0.204 VMW2KP
access-list inside_access_in permit ip any any
access-list outside_access_in permit ip any any
ip address outside 201.134.44.213 255.255.255.240
ip address inside 10.0.1.211 255.255.0.0
global (outside) 1 201.134.44.212
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 201.134.44.214 ftp VMW2KP ftp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
ideas ? .... pix have fine connection with internet .... default gateway in the ftp server (VMW2KP) is the pix ....
i do not understand ...
thanks.
01-11-2006 03:51 PM
Hello,
FTP uses infact two ports, which are first TCP 21 (=ftp) for a control connection, where a user authenticates himself, lists directories etc.
Second for data transmission you need also TCP 20 (=ftp-data), as the file transfer with active FTP will use this port.
You have to forward both ports to the Server to have a chance to get FTP working.
Hope this helps! Please rate all posts.
Martin
01-12-2006 03:48 AM
apply the static statement below:
static (inside,outside) tcp 201.134.44.214 20 VMW2KP 20 netmask 255.255.255.255 0 0
clear xlate local VMW2KP
the reason being with active ftp, client initiates the connection with destination port 21, then server will initiate the data channel with source port 20. thus the above static is required.
further, the acl outside_access_in should be restricted after the resolution of the issue. in order to permit this ftp operation:
access-list outside_access_in permit tcp any host <201.134.44.214> eq ftp
alternatively, if the ftp server is running passive ftp, then the inbound acl should be:
access-list outside_access_in permit tcp any host <201.134.44.214> gt 1023
01-12-2006 10:38 AM
When doing port redirection on a PIX, be sure to add a NAT and Global for the specific inside host so it will match the outside address in your static. I have always needed to do this for inbound traffic to work, even though you don't need it for a regular static. You should add the following:
global (outside) 2 201.134.44.214
nat (inside) 2 10.0.0.204 255.255.255.255 0 0
You may not need the static for the data port if you are running fixup for FTP. I usually do this for redirecting SMTP to a filter and have not tried it for FTP.
Mark
01-17-2006 03:23 PM
thanks !
mheusinger
cairnsm
jackko
the fix was:
no sysopt noproxyarp outside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide