Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ftp through a pix

I have configured a pix for ftp access to a dmz containing an AS400. Although all access lists and static are in place I keep getting a deny for the ftp-data port 20.

I seem to remember reading somewhere something about ftp via the pix causing issues with data transfer. Any ideas

Community Member

Re: ftp through a pix

Are you using AAA authentication and what version of pix software are you running?

Community Member

Re: ftp through a pix

not using AAA and the version of software is 6.2 I've experienced this same problem on earlier versions

Community Member

Re: ftp through a pix

Do you use NAT ? NAT might cause this problem .

Do you try to use fixup command yet?

Community Member

Re: ftp through a pix

FTP is a wierd animal when it comes to Cisco ACL or PIX

Normally you would do:

access-list acl1 permit tcp any host FTPSERVER eq ftp

however to get it to work you need to change the order of the command so it looks like this:

access-list acl1 permit tcp any eq ftp host FTPSERVER

The same applies to SNMP and probably other things. A Cisco engineer tried to explain it to me but I don't think he understood it either. If anyone out there can explain then please - give it a go.

Community Member

Re: ftp through a pix

I don't know What your set up looks like but take this for example.

Your ftp server is on the dmz intf with ip

You have a network on the inside interface of your Pix. The net is /24. You want everyone on that net to be able to use the ftp server.

Provided that all preliminary configs are working fine, here is what your config should look like.

configure an access-list that you will apply to nat (0) so that traffic between the two segments does not get natted.

access-list 100 permit ip

apply this to nat (0):

nat (inside) 0 access-list 100

Now you will configure a conduit to allow bi-directional communicatiion between the two segment:

conduit permit tcp host eq ftp

If communication is to be initiated from the lower security interface to the higher one, you need the conduit. In the case of ftp, the server will probably initiate communication from port 20 to the client on the inside intf. If there is no conduit line in the config, those packets will be dropped because by default you cannot initiate communication from a lower priority intf to a higher one. Sorry for being so long winded.

Community Member

Re: ftp through a pix

It's me again.

If all your clients are comming from outside or any intf with a lower security than the dmz, you still need a conduit command to allow the clients in.

in this case: conduit permit tcp host [the server's IP] eq ftp any


Community Member

Re: ftp through a pix

I would go step by step:

1. Try to ftp from one of the machines in the DMZ interface itself.

2. Then configure the conduit statement to allow `any' to 'any' and try to ftp:

conduit permit tcp any any

3. Then configure to permit all ports to that particular IP :

conduit permit tcp host x.x.x.x any

4. Then configure to allow only ftp to that particular ip :

conduit permit tcp host x.x.x.x eq ftp any

5. Even though it is not needed for a PIX, try `conduit;ing ftp-data also (never needed to do this though!).

Best Rgds / Sampath

CreatePlease to create content