09-03-2002 06:37 PM - edited 02-20-2020 10:13 PM
How can I use passive FTP through the Pix Firewall?? I've tried everything to get this to work. I've tried using established commands. I've tried using conduit commands enabling all the high ports back to the originating host (1024-65535). Nothing is working.
However, once I do "no fixup protocol ftp" it works just fine. However, our other FTP operations fail when I do this. Is there any way I can get these two functions to work through our PIX?
Huge thanks in advance. My company is very dependant on these services.
Aaron Paxson
IT Systems Analyst
Decorative Concepts
09-06-2002 08:28 AM
Anyone have any ideas??
09-06-2002 10:47 AM
Hi, have you tried a range of ports for fixup to inspect? Something like......
fixup protocol ftp 21-65535
I'm not sure if this will inspect all traffic leaving on those ports though.
Anyone else?
09-06-2002 12:30 PM
No, I haven't tried the range of ports. Just 21. I'll do that and see what happens.
I have found out some other information. In going through my logs I have this:
8:08:02am %PIX-6-302001: Built outbound TCP connection xxxxxx for faddr a.b.c.d/80 gaddr
8:08:02am %PIX-5-304001:
8:08:02am %PIX-6-302002: Teardown TCP connection xxxxx faddr a.b.c.d/80 gaddr
8:08:02am %PIX-5-106015: Deny TCP (no connection) from a.b.c.d/80 to
It looks like the PIX tears down the connection before I'm finished. Any reason why? Is there a timeout issue going on? This has been working for a few months now. I had to turn off our PIX's to move them to a new location, and then brought them back up. The contents of the memory were saved. I'm having the hardest time trying to figure this out.
09-07-2002 11:07 PM
When you do the no ftp fixup ptotocol, you are disabling the ftp server to open the ftp data connection to the client to establish the data connections. If you want both port mode and passive mode to work at the same time. add an access list that specifically allow the ftp servers to open data connection from port 21 to the clients, good luck.
09-09-2002 09:30 AM
Thank you very much for your response! That makes alot of sense. Would I also use a conduit command opening up the port back through the firewall, or would I just need an access-list? I have one access-list applied to my inside interface, and use conduit commands to come back through the firewall into my private network.
Thanks for the response!
Aaron
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide