Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

fixup procol ftp problems PIX 6.1 - fixup not changing PASV port reply

Hi folks,

I have an issue with the ftp fixup feature on passive ftp.

The PIX 515 (6.1) has private addresses on the inside and outside. NAT for all the lan clients is done not by the PIX but by the edge router (a 2620).

LAN = PIX = 2620 = internet

I have my ftp server statically mapped to a global address in the pix however.

static (inside,outside) A.B.C.D 192.168.12.46 netmask 255.255.255.255 0 0

My ftp service runs on port 7001, and this port is allowed inbound on the access-list. In fact I can telnet to the ftp service from the outside to the statically mapped global address and interact with it on the control channel, so the address mapping works and the access-list works.

I have the fixup protocol statements also:

fixup protocol ftp 21

fixup protocol ftp 7001

The problem is when I type PASV, I get a response like the following:

port (192,168,12,46,165,75) <- meaning the protocol is returning to the client a private address, instead of rewriting that address to use the outside global address.

However, if I manually calculate a port number from the response, and telnet into this port using the global address, I get the download completed. So the security algorithm apparently is opening up the transient inbound port (though when I tried it I may have had all tcp ports opened to the host).

Also, my 'debug fixup tcp' doesn't seem to do anything - I have monitor debugging loggin on, term mon set, and debug fixup does nothing (even for the other fixup protocols).

Should the fixup protocol command be rewriting the text reply to the PASV ftp command?

Any ideas?

Thanks

1 REPLY
Cisco Employee

Re: fixup procol ftp problems PIX 6.1 - fixup not changing PASV

The PIX should be modifying the IP address in the Port command. However, if your router is also performing NAT on this same address, you will need to modify its configuraiton a bit. By default it will nat the Port command for packets on port 21, but if you change the port to something you need to add additional nat commands. See the following doc.

http://www.cisco.com/warp/public/556/6.html

Also, the PIX syslogs should indicate what is going on.

Sincerely,

David.

274
Views
0
Helpful
1
Replies