Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
513
Views
0
Helpful
4
Replies

FTP denial, OUTSIDE to INSIDE network

Shervan Singh
Level 1
Level 1

‎11-03-2003 06:13 AM - edited ‎03-09-2019 05:22 AM

Hi

Debugging fixup ftp shows that the ports are opening up. I am able to log into the internal network using ftp, but am not able to exectute any commands. The connection times out.

This happens even if I use a 'permit all access-list on the outside interface of the pix'

Any help will be appreciated...

Below is the syslog excerpt...

302013: Built inbound TCP connection 15 for outside:192.168.200.28/1082 (192.168

.200.28/1082) to inside:139.66.16.128/21 (139.66.16.128/21)

302013: Built inbound TCP connection 16 for outside:192.168.200.28/1083 (192.168

.200.28/1083) to inside:139.66.16.128/20 (139.66.16.128/20)

111009: User 'enable_15' executed cmd: show debug

111009: User 'enable_15' executed cmd: show logging

111009: User 'enable_15' executed cmd: show logging

302014: Teardown TCP connection 16 for outside:192.168.200.28/1083 to inside:139

.66.16.128/20 duration 0:02:00 bytes 0 TCP FINs

Thanks, Shervan

Labels:
0 Helpful
4 Replies 4

bfl1
Level 1
Level 1

‎11-03-2003 06:22 AM

Please ensure that you are not having issues with reverse DNS on your internal network. See this link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094459.shtml

Revere DNS not working can and WILL cause LS and GET commands not to work.

0 Helpful

bfl1
Level 1
Level 1

‎11-03-2003 06:25 AM

FTP into the network... this might mean the domain you are logging in from does not have reverse dns working properly or set up. You may want to look into disabling reverse DNS from the FTP server.

0 Helpful

Shervan Singh
Level 1
Level 1
In response to bfl1

‎11-03-2003 06:37 AM

Hi, the system being configured is a point to point connection, outside of a larger network, so there is no DNS used at all. The pix has however got the default settings for domain. Should DNS matter here?

The network connected to the outside network is of a 'stub' topology.

0 Helpful

bfl1
Level 1
Level 1
In response to Shervan Singh

‎11-03-2003 07:17 AM

A classic symptom of reverse dns issues, is when you try to FTP and you get funky results, such as:

You can ftp to the site, traverse directories, but not issue LS or GET commands. It normally means that the domain you are initiating the FTP from, has reverse DNS issues. A lot of FTP sites do a reverse lookup on clients that ftp to their site. It could also be an IDENT issue... The article has good info in it. See if there is a way to turn off reverse dns lookup on the ftp server.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents