My ftp service runs on port 7001, and this port is allowed inbound on the access-list. In fact I can telnet to the ftp service from the outside to the statically mapped global address and interact with it on the control channel, so the address mapping works and the access-list works.
I have the fixup protocol statements also:
fixup protocol ftp 21
fixup protocol ftp 7001
The problem is when I type PASV, I get a response like the following:
port (192,168,12,46,165,75) <- meaning the protocol is returning to the client a private address, instead of rewriting that address to use the outside global address.
However, if I manually calculate a port number from the response, and telnet into this port using the global address, I get the download completed. So the security algorithm apparently is opening up the transient inbound port (though when I tried it I may have had all tcp ports opened to the host).
Also, my 'debug fixup tcp' doesn't seem to do anything - I have monitor debugging loggin on, term mon set, and debug fixup does nothing (even for the other fixup protocols).
Should the fixup protocol command be rewriting the text reply to the PASV ftp command?
The PIX should be modifying the IP address in the Port command. However, if your router is also performing NAT on this same address, you will need to modify its configuraiton a bit. By default it will nat the Port command for packets on port 21, but if you change the port to something you need to add additional nat commands. See the following doc.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...