Here is the config as requested - hopefully you will be able to spot my mistake - I am flying a little blind here as no real experience in this...........
If you do 'show access-list 101', is the FTP rule incrementing whenever a FTP session in started? Also can you confirm that the host 10.128.10.1 is where you want the FTP's redirected too?
If yes and yes to the above, have you tried ftp'ing to this host from the inside network and does that work?
You say you cannot authenticate, but you say that the port does seem to be getting redirected. Ok what happens? Do you get an authentication prompt?
Have you tried from the command line?
Connected to ************.net.
220-FTP Server Ready.
220-Guest logins are not allowed here. You must login with your assigned
220-username and password with your FTP client program. If you're using
220-Internet Explorer, try the "Login as..." menu option under the "File" menu,
220-or in other FTP client programs, you can try this URL:
220-
220- ftp://username@YourDomainName/
220
User (**********.netnone)): gconnect
331 User gconnect okay, need password.
Password:
230 Restricted user logged in.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
What type FTP Server?
What output does the FTP client or server log you when you attempt to login via FTP?
FTP operates on more than 1 port which is what the fixup is for. The problem could be that you only have ftp (TCP 21) statically translated. I dont know if the pix is smart enough or dumb enough to translate these to the inside host on ports other than the one in your translate rule because you are using port address translation. Are you using active or passive FTP? try this also.
Thats for FTP-Data. If you are using Active FTP Data will go over 20 AND 21 is the control connection. If it is passive the control connection is still 21 but it uses tcp high ports for the data connection.
1-Try To Open Port 20 & 21 For The Ftp server Ip.
2-I Think This command Not True [(static (inside,outside) tcp interface ftp bci ftp netmask 255.255.255.255 0 0)],
[Static (inside,outside) tcp (Real Ip For The Server) (Private Ip) netmask 255.255.255.255 0 0].
3-after changing the routing Clear the xlate table and build it again.
Have you tried sniffing the traffic on the inside? Or even on the FTP server itself for that matter to see what is actually coming in. You may want to compare that with the output from a 'debug packet outside' on the router. If you sniff the traffic on the client and get ICMP Destination Unreachable / Port Unreachable that may also clue us in.
Fixup will open the ports automatically. In fact with fixup enabled you will not see any hits on any ACL using tcp/20 even if configured with "any any eq 20". Tcp/20 is only applicable if the server is doing Active FTP anyway. Connections created by Application Inspection (fixups) get processed before the ACLs (like CBAC on IOS). And like IOS 12.3, connections created by Application Inspection are not viewable natively.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.