FTP access through PIX

abruso · ‎04-03-2006

I was under the impression that any session initiated from inside the PIX going out would allow that traffic to come back through the PIX without any additional ACL's. We are trying to access an FTP site from inside but cannot do so. When trying to connect to the same FTP site from a box outside our firewall, it works just fine.

Do I need to add an inbound ACL statement to allow this?

mheusinger · ‎04-03-2006

Hello,

you could try passive FTP with your client and this should solve the problem. Active FTP uses port 21 for accessing the server and port 20 for data transmission. As the server is sending with port 20 the PIX does not "know" what to do and then discards the packets.

With passive FTP both the control and the data connection are initiated by the client and should therefore be working.

Hope this helps! Please rate all posts.

Regards, Martin

abruso · ‎04-03-2006

Passive FTP is checked off in my browser options and it still doesn't work. I just added an ACL statement to our inbound ACL to allow all FTP traffic coming from our client and still nothing.

I'm not sure what else to try.

This is the error message I get when ever I try to run a command on their FTP site:

425 Can't build data connection: Cannot connect to dest socket xxx.xxx.xx.xx:1209 SSLTCP:380:connect tcp:113: No route to host.