01-02-2006 05:53 AM - edited 03-09-2019 01:30 PM
Hi
Im experiencing 2 diffrent problems with 2 diffrent ftp sites.
Scenario 1 - Only works without fixup protocol:
When trying to connect to: ftp-milton.ansys.com (unknown ftp server) im not getting further than to the ftp client is connected (not getting to login/pass), its the same whether its with active or passive mode, as soon as I remove the fixup protocol on ftp on the Cisco Pix 515, the ftp connection works fine.
Scernario 2 - Only works with fixup protocol:
When trying to connect to ftp.intercreation.dk (220 ProFTPD 1.2.10 Server) it works fine thru ftp client, and IE browser thru Windows XP, when trying to save or open files thru Microsoft Word 2003 (ftp option thru Word), the program hangs, and is not able to establish connection to the ftp. As soon as i put the fixup protocol ftp 21 on again, the site works. Its the same on this site, whether its active or passive mode.
So now the big problem is, im only able to get 1 of the 2 ftp sites to work at the time.. - does anyone have any solution for this ??
Here is my pix configuration:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
interface ethernet2 vlan10 logical
interface ethernet2 vlan40 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz-int security9
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service FTP_out2in tcp
port-object eq ftp
port-object eq ftp-data
object-group network FTP_Access_out2in
network-object host X.X.X.X
access-list outside_access_in permit tcp any object-group FTP_Access_out2in object-group FTP_out2in
access-list inside_access_in permit ip any any
pager lines 24
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any inside
icmp permit any echo-reply dmz
icmp permit any echo dmz
mtu outside 1500
mtu inside 1500
mtu dmz-int 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface dmz
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz-int
no failover ip address dmz
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list in2out_no_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 X.X.X.X 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
no snmp-server enable traps
floodguard enable
01-02-2006 06:53 AM
hi
Seen a similar issue here would suggest to try adding this and check for the FTP connections..
access-list inside_access_in permit tcp any any eq ftp
access-list inside_access_in permit tcp any any eq ftp-data
access-list inside_access_in permit tcp any any gt 1024
regds
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide