Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Behind PIX, FTP Fails!

Status
Not open for further replies.
luciusism

luciusism

MIS
Mar 15, 2002
10
0
0
US
I have noticed that when trying to access an ftp site from behind my PIX, I can logon, but as soon as I do a LIST to list the directory, the socket connection is restet. I looked in the log files, and there are no denys, but a teardown with the reason code (TCP Reset-I) It seems like the ftp server is sending a spurious reset packet?

Yet, If I connect from outside the PIX, ftp access works. I've also confirmed with someone else whos' network also uses a pix that they too get the same disconnect at LIST yet can also access the ftp server w/o problem from outside thier pix.

My config is pretty vanilla, with default ftp fixup. Has anyone ever experienced this kind of problem, and could perhaps offer some hints as to what I can do to solve this problem? Thanks!!!

Lucius
 
Sort by date Sort by votes
Hi,
You appear to be experiencing a problem with active FTP. On your ftp client do you have an option to specify passive ftp? If so try that. Or modify your ACL in such away to allow the ftp server to build an inbound connection to you where it has a source port of 20. I will not explain it to you, this web site does it better, but ftp is a horrible protocol and much more difficult to use people realise:
Have a read at that and if you have any more problems just post them.

-Stephen
 
Upvote 0 Downvote
I forgot to menion, we tried using the PASV option on the ftp client, and tried many different clients, each experiencing the same error. Thanks for the insight!

Lucius
 
Upvote 0 Downvote
By the way, can you please explain by what you mean,

"Or modify your ACL in such away to allow the ftp server to build an inbound connection to you where it has a source port of 20."?

I did try giving my local ip address a static global ip, then creating a conduit to the ftp server, but this did not help. Cisco told me this would only help if the syslog was returing "deny" errors, not a TCP-I reset packet.

Thanks!!!
Lucius
 
Upvote 0 Downvote
Hi,
Build an ACL and apply it to the outside interface.
access-list ftp-in permit ip host <ftpserverip> eq 20 host <my-ip>

In active sessions the server will build the inbound datapath. According to the server it will create this port to randomn destination port A, in some cases this will be 20, in others it will be greater than 1023, but the source port will always be 20. So allow traffic to come from the server with source port on 20 to your IP. Not the best solution security wise, but a quick and dirty solution nontheless.

-Stephen
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
73
gkittelson
gkittelson
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
36
xwray
xwray
raist3001
  • Locked
  • Question
Unable to remote into PBX behind Sonicwall TZ-190
Replies
1
Views
48
fojin
fojin
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
44
brownmab53
brownmab53
quazimotto
  • Locked
  • Question
Correct Upgrade Path for PIX
Replies
7
Views
95
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top