Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

FTP denial, OUTSIDE to INSIDE network

Hi

Debugging fixup ftp shows that the ports are opening up. I am able to log into the internal network using ftp, but am not able to exectute any commands. The connection times out.

This happens even if I use a 'permit all access-list on the outside interface of the pix'

Any help will be appreciated...

Below is the syslog excerpt...

302013: Built inbound TCP connection 15 for outside:192.168.200.28/1082 (192.168

.200.28/1082) to inside:139.66.16.128/21 (139.66.16.128/21)

302013: Built inbound TCP connection 16 for outside:192.168.200.28/1083 (192.168

.200.28/1083) to inside:139.66.16.128/20 (139.66.16.128/20)

111009: User 'enable_15' executed cmd: show debug

111009: User 'enable_15' executed cmd: show logging

111009: User 'enable_15' executed cmd: show logging

302014: Teardown TCP connection 16 for outside:192.168.200.28/1083 to inside:139

.66.16.128/20 duration 0:02:00 bytes 0 TCP FINs

Thanks, Shervan

  • Other Security Subjects
4 REPLIES
New Member

Re: FTP denial, OUTSIDE to INSIDE network

Please ensure that you are not having issues with reverse DNS on your internal network. See this link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094459.shtml

Revere DNS not working can and WILL cause LS and GET commands not to work.

New Member

Re: FTP denial, OUTSIDE to INSIDE network

FTP into the network... this might mean the domain you are logging in from does not have reverse dns working properly or set up. You may want to look into disabling reverse DNS from the FTP server.

New Member

Re: FTP denial, OUTSIDE to INSIDE network

Hi, the system being configured is a point to point connection, outside of a larger network, so there is no DNS used at all. The pix has however got the default settings for domain. Should DNS matter here?

The network connected to the outside network is of a 'stub' topology.

New Member

Re: FTP denial, OUTSIDE to INSIDE network

A classic symptom of reverse dns issues, is when you try to FTP and you get funky results, such as:

You can ftp to the site, traverse directories, but not issue LS or GET commands. It normally means that the domain you are initiating the FTP from, has reverse DNS issues. A lot of FTP sites do a reverse lookup on clients that ftp to their site. It could also be an IDENT issue... The article has good info in it. See if there is a way to turn off reverse dns lookup on the ftp server.

331
Views
0
Helpful
4
Replies
This widget could not be displayed.