Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1092
Views
0
Helpful
1
Replies

fixup procol ftp problems PIX 6.1 - fixup not changing PASV port reply

jljamison
Level 1
Level 1

‎06-15-2002 01:07 PM - edited ‎02-20-2020 10:06 PM

Hi folks,

I have an issue with the ftp fixup feature on passive ftp.

The PIX 515 (6.1) has private addresses on the inside and outside. NAT for all the lan clients is done not by the PIX but by the edge router (a 2620).

LAN = PIX = 2620 = internet

I have my ftp server statically mapped to a global address in the pix however.

static (inside,outside) A.B.C.D 192.168.12.46 netmask 255.255.255.255 0 0

My ftp service runs on port 7001, and this port is allowed inbound on the access-list. In fact I can telnet to the ftp service from the outside to the statically mapped global address and interact with it on the control channel, so the address mapping works and the access-list works.

I have the fixup protocol statements also:

fixup protocol ftp 21

fixup protocol ftp 7001

The problem is when I type PASV, I get a response like the following:

port (192,168,12,46,165,75) <- meaning the protocol is returning to the client a private address, instead of rewriting that address to use the outside global address.

However, if I manually calculate a port number from the response, and telnet into this port using the global address, I get the download completed. So the security algorithm apparently is opening up the transient inbound port (though when I tried it I may have had all tcp ports opened to the host).

Also, my 'debug fixup tcp' doesn't seem to do anything - I have monitor debugging loggin on, term mon set, and debug fixup does nothing (even for the other fixup protocols).

Should the fixup protocol command be rewriting the text reply to the PASV ftp command?

Any ideas?

Thanks

0 Helpful
1 Reply 1

David White
Cisco Employee
Cisco Employee

‎06-19-2002 08:11 PM

The PIX should be modifying the IP address in the Port command. However, if your router is also performing NAT on this same address, you will need to modify its configuraiton a bit. By default it will nat the Port command for packets on port 21, but if you change the port to something you need to add additional nat commands. See the following doc.

http://www.cisco.com/warp/public/556/6.html

Also, the PIX syslogs should indicate what is going on.

Sincerely,

David.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card