Saturday, January 15, 2011

How to enable FTP access to a server behind an Cisco Pix 515?

Hi! I have a Windows 2003 web server sitting behind a Cisco Pix 515 firewall. HTTP access is fine, but I can't make FTP access to work.

The configuration I'm trying:

fixup protocol ftp 20
static (inside,outside) <external-IP> <internal-IP> netmask 255.255.255.255 0 0
conduit permit tcp host <external-IP> eq www any
conduit permit tcp host <external-IP> eq ftp-data any
conduit permit tcp host <external-IP> eq ftp any

I also tried "fixup protocol ftp 21" and "no fixup protocol 20"; as they didn't work, I removed them.

It connects successfully, I type my username and password just fine. When I try any command I get:

C:\>ftp <server-name>
Connected to <server-name>.
220 Microsoft FTP Service
User (<server-name>:(none)): <username>
331 Password required for <username>.
Password:
230 User <username> logged in.
ftp> dir
500 Invalid PORT Command.
150 Opening ASCII mode data connection for /bin/ls.

And it sits there forever. I can see on eventvwr that the server drops the connection after the time-out I configured is reached.

If I try from Internet Explorer I get a message box:

200 Type set to A
500 Invalid PORT command
500 'LPRT 6,16,0,0,0,0,0,0,0,0,9,4,0,0,0,0,34,113,2,6,71': command not understood

FTP to this server from inside my LAN works fine.

Can anyone help me? Thanks a lot!

From serverfault $pageUsers[$entry.posts[0].author].name

  • Remove:

    fixup protocol ftp 20

    and just add:

    fixup protocol ftp

    without a port number. A port number is not needed. In addition to this, you may need to issue a clear xlate for it to take effect right away...however, this will disconnect any/all active connections (and can cause other issues).

    Edited to add:

    As Zephyr asked in comments above, it is important to know what version of PIX software you're running as Cisco replaced fixup with inspect.

    radius : He said : "I also tried "fixup protocol ftp 21" and "no fixup protocol 20"; as they didn't work, I removed them.". I made the same answer before reding the question a second time ;)
    GregD : But I also suspect that he did this and tried them right away before trying clear xlate.
    GregD : What does a "show fixup" return?
    GregD : Try these commands in this order: no fixup protocol ftp 20 | fixup protocol ftp 21
    GregD : Also, is your FTP site setup to accept all incoming IP addresses or specific ones (like your internal ones)?
    GregD : What FTP client are you using? Have you tried active vs. passive ftp on your client outside of the firewall?
    From GregD
Posted by Ku XI at 12:01 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)