Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

FTP communication

I have a 2621 configured with the serial interface to the outside world, ethernet 0/0 to DMZ2, ethernet 0/1 to DMZ1, and using ios firewall. When I am connected to DMZ2 I can make FTP communications to the outside world uploading and downloading. When connected to the DMZ1 I am only able to download from the same FTP site. When attempting to upload I get an "Access Denied" message. It appears that the data channel can't be created.

I'm aware of the fixup protocol command but that isn't available on this router. How can I make this work and why does it work on one DMZ but not the other?


New Member

Re: FTP communication


I guess your ftp mode is active because in this mode the client initiate connection to ftp server port 21 (command port) then the server initiate a connection to the client from ftp server source port 20 (data port).

In your case the connection to the port 21 is inspected by your inbound inspect ? default ? and will allow only responses to the connection initiated from the outside so connection attempts from the port 20 will be denied.

I hope this will help you!

New Member

Re: FTP communication


The command "ip inspect name Default ftp" is equivalent to "fixup ftp". (nearly)

Solution (i believe) for your connection-problem:

1. Remove "ip inspect Default in" on interface FastEthernet0/0 and on interface FastEthernet0/1 (inside).

2. Add "ip inspect Default out" on interface Serial0/0 (outside).

3. Remove any permit-statement in access-list 120 for connections which are established from "inside" to outside (statefull expection! -> allow answers for questions from inside)

Or find connection-errors with

"debug ip inspect ..."

"debug ip nat ..."

And use route-maps:

"ip nat inside source route-map ..." because you use vpn (crypto map ...) -> use "acl-nonat access-lists"