Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Passive FTP denied inbound access

Hi y'all

I have a problem accessing from the outside interface my FTP server in passive mode that is located behind a PIX 515E version 6.3.

I have this message logged:

%PIX-4-406002: FTP port command different address: 172.16.80.8(192.168.100.100) to 192.168.100.18 on interface dmz

I have this access list allowing incoming connections:

access-list ACLOUT permit tcp any host 192.168.200.100 eq ftp

and this static maping:

static (dmz,outside) 192.168.200.100 172.16.80.8

Can anyone explain what is wrong? The fixup is enabled by default,yes?

Thanks in advance

David

5 REPLIES
Silver

Re: Passive FTP denied inbound access

in passive mode , both the connections , the data and control channels are initiated by the client.

Hence if a server on the inside, you definitely need a fixup ftp.

BTW why is there an IP address conflict.

e.g. the mesages says about IP 192.168.100.100 but the static mapping says 192.168.200.100

Are you having DUAL NIC or DUAL IPs on this server ?

what version of code?

Thanks

Nadeem

Community Member

Re: Passive FTP denied inbound access

Hi Nadeem,

Thank you for your reply.

I have altered the IP addresses and made a mistake copying them to the original post . In fact the access-list and the static maping is :

access-list ACLOUT permit tcp any host 192.168.100.100 eq ftp

and this static maping:

static (dmz,outside) 192.168.100.100 172.16.80.8

I have the fixup ftp enabled:

fixup protocol ftp 21

And yes I have dual NIC but only one is connected.

The client connects to the server but when i starts the passive mode the connection is closed.why?

Thanks in advance

David

Community Member

Re: Passive FTP denied inbound access

%PIX-4-406002: FTP port command different address: IP_addr(IP_addr) to IP_addr on interface int_name

Explanation A client issued an ftp port command and supplied a port lesser than 1024 (in the well-known port range typically devoted to server ports). This is indicative of an attempt to avert the site's security policy. PIX Firewall drops the packet, terminates the connection, and logs the event.

Action None required.

That's cisco's description of your error message; however, FTP is below 1024, so I don't understand the description.

Community Member

Re: Passive FTP denied inbound access

Hi,

I saw this explanation before, but it's like you said ftp is below 1024. However my FTP server instructs the client to use a data channel in the range 22000-22200 and it used to work before the PIX installation( only router ACL).

David

Community Member

Re: Passive FTP denied inbound access

Hi y'all

Please don't hang up. Does anyone have an idea about this? Experienced this before?Perhaps the data channel is to high?Any ideas?Please?

Thanks in advance

David

399
Views
0
Helpful
5
Replies
CreatePlease to create content