Problems connecting to FTP sites, with or without fixup protocol

stormfidus · ‎01-02-2006

Hi

Im experiencing 2 diffrent problems with 2 diffrent ftp sites.

Scenario 1 - Only works without fixup protocol:

When trying to connect to: ftp-milton.ansys.com (unknown ftp server) im not getting further than to the ftp client is connected (not getting to login/pass), its the same whether its with active or passive mode, as soon as I remove the fixup protocol on ftp on the Cisco Pix 515, the ftp connection works fine.

Scernario 2 - Only works with fixup protocol:

When trying to connect to ftp.intercreation.dk (220 ProFTPD 1.2.10 Server) it works fine thru ftp client, and IE browser thru Windows XP, when trying to save or open files thru Microsoft Word 2003 (ftp option thru Word), the program hangs, and is not able to establish connection to the ftp. As soon as i put the fixup protocol ftp 21 on again, the site works. Its the same on this site, whether its active or passive mode.

So now the big problem is, im only able to get 1 of the 2 ftp sites to work at the time.. - does anyone have any solution for this ??

Here is my pix configuration:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet2 vlan10 logical

interface ethernet2 vlan40 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz-int security9

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group service FTP_out2in tcp

port-object eq ftp

port-object eq ftp-data

object-group network FTP_Access_out2in

network-object host X.X.X.X

access-list outside_access_in permit tcp any object-group FTP_Access_out2in object-group FTP_out2in

access-list inside_access_in permit ip any any

pager lines 24

icmp permit any echo outside

icmp permit any echo-reply outside

icmp permit any inside

icmp permit any echo-reply dmz

icmp permit any echo dmz

mtu outside 1500

mtu inside 1500

mtu dmz-int 1500

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip verify reverse-path interface dmz

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz-int

no failover ip address dmz

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 0 access-list in2out_no_nat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 X.X.X.X 255.255.255.0 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

no snmp-server enable traps

floodguard enable

spremkumar · ‎01-02-2006

hi

Seen a similar issue here would suggest to try adding this and check for the FTP connections..

access-list inside_access_in permit tcp any any eq ftp

access-list inside_access_in permit tcp any any eq ftp-data

access-list inside_access_in permit tcp any any gt 1024

regds