cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
947
Views
0
Helpful
7
Replies

ftp through a pix

pjosephs
Level 1
Level 1

I have configured a pix for ftp access to a dmz containing an AS400. Although all access lists and static are in place I keep getting a deny for the ftp-data port 20.

I seem to remember reading somewhere something about ftp via the pix causing issues with data transfer. Any ideas

7 Replies 7

mtumarinson
Level 1
Level 1

Are you using AAA authentication and what version of pix software are you running?

not using AAA and the version of software is 6.2 I've experienced this same problem on earlier versions

thong.do
Level 1
Level 1

Do you use NAT ? NAT might cause this problem .

Do you try to use fixup command yet?

martin.law
Level 1
Level 1

FTP is a wierd animal when it comes to Cisco ACL or PIX

Normally you would do:

access-list acl1 permit tcp any host FTPSERVER eq ftp

however to get it to work you need to change the order of the command so it looks like this:

access-list acl1 permit tcp any eq ftp host FTPSERVER

The same applies to SNMP and probably other things. A Cisco engineer tried to explain it to me but I don't think he understood it either. If anyone out there can explain then please - give it a go.

gsatchivi
Level 1
Level 1

I don't know What your set up looks like but take this for example.

Your ftp server is on the dmz intf with ip 10.10.20.11

You have a network on the inside interface of your Pix. The net is 10.20.10.0 /24. You want everyone on that net to be able to use the ftp server.

Provided that all preliminary configs are working fine, here is what your config should look like.

configure an access-list that you will apply to nat (0) so that traffic between the two segments does not get natted.

access-list 100 permit ip 10.20.10.0 255.255.255.0 10.10.20.11 255.255.255.255

apply this to nat (0):

nat (inside) 0 access-list 100

Now you will configure a conduit to allow bi-directional communicatiion between the two segment:

conduit permit tcp 10.20.10.0 255.255.255.0 host 10.10.20.11 eq ftp

If communication is to be initiated from the lower security interface to the higher one, you need the conduit. In the case of ftp, the server will probably initiate communication from port 20 to the client on the inside intf. If there is no conduit line in the config, those packets will be dropped because by default you cannot initiate communication from a lower priority intf to a higher one. Sorry for being so long winded.

gsatchivi
Level 1
Level 1

It's me again.

If all your clients are comming from outside or any intf with a lower security than the dmz, you still need a conduit command to allow the clients in.

in this case: conduit permit tcp host [the server's IP] eq ftp any

gilles

I would go step by step:

1. Try to ftp from one of the machines in the DMZ interface itself.

2. Then configure the conduit statement to allow `any' to 'any' and try to ftp:

conduit permit tcp any any

3. Then configure to permit all ports to that particular IP :

conduit permit tcp host x.x.x.x any

4. Then configure to allow only ftp to that particular ip :

conduit permit tcp host x.x.x.x eq ftp any

5. Even though it is not needed for a PIX, try `conduit;ing ftp-data also (never needed to do this though!).

Best Rgds / Sampath

Sampathsr@hclcomnet.co.in

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: