fixup protocol ftp

[DreamPowered]

Does the pix support multiple entries for the fixup protocol ftp statement. I know that it accepts the command, but does it actually work.

ex:

fixup protocol ftp 21
fixup protocol ftp 1021

 

[themut]

Yeas it does! If you have more than one ftp server and they are listening on different ports then you need more than one fixup entry.

 

[DreamPowered]

Well something is not right then.

Let me see...

Here is the config:

interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
hostname PIX525
domain-name testing.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 1024
fixup protocol ftp 21
fixup protocol ftp 10020
fixup protocol ftp 10021
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 8080
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 132.x.x.7 ftpserver
object-group service webconn tcp
description ports needed to connnect to ftp_server
port-object eq ftp
port-object eq ftp-data
port-object eq 1021
port-object eq www
port-object eq 8080
port-object eq https
port-object eq 1364
port-object eq 1020
port-object range 32431 32461
object-group network dmz-servers
description local addresses for dmz servers
network-object host 192.168.131.10
network-object host 192.168.131.15
network-object host 192.168.131.16
network-object host 192.168.131.11
object-group service webconn-no-1364 tcp
description ports needed to connect to ftp_server
port-object eq ftp
port-object eq ftp-data
port-object eq 1021
port-object eq www
port-object eq 8080
port-object eq https
port-object eq 1020
port-object range 32431 32461
access-list compiled
access-list outside_in permit icmp any any
access-list outside_in permit icmp any host ftpserver echo
access-list outside_in remark outside access to ftpserver
access-list outside_in permit tcp any host ftpserver object-group webconn-no-1364
access-list dmz_in permit icmp any any
access-list dmz_in permit tcp object-group dmz-servers any object-group webconn
access-list dmz_in permit tcp object-group dmz-servers object-group mainframe eq 31064
access-list dmz_in permit tcp host ftpserver object-group mainframe eq 31064
access-list dmz_in permit tcp object-group dmz-servers any eq domain
access-list dmz_in permit udp object-group dmz-servers any eq domain
access-list dmz_in permit tcp host ftpserver any object-group webconn
access-list inside_acl deny tcp any any eq smtp
access-list inside_acl deny tcp any any eq 69
access-list inside_acl deny tcp any any eq 135
access-list inside_acl deny tcp any any eq netbios-ssn
access-list inside_acl deny tcp any any eq 445
access-list inside_acl deny tcp any any eq 4444
access-list inside_acl deny udp any any eq tftp
access-list inside_acl deny udp any any eq 135
access-list inside_acl deny udp any any eq 139
access-list inside_acl deny udp any any eq 445
access-list inside_acl permit ip any any
pager lines 15
logging on
logging timestamp
logging buffered informational
logging trap informational
logging host inside 10.110.10.250
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 132.x.x.5 255.255.255.128
ip address inside 192.168.10.21 255.255.255.0
ip address dmz 192.168.131.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0 0 0
static (dmz,outside) ftpserver 192.168.131.11 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group inside_acl in interface inside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 132.x.x.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
telnet timeout 30
ssh timeout 60
console timeout 5
terminal width 80

Any ideas why it would not be working?

Do I need a nat (dmz) 0 132.x.x.7 255.255.255.255 entry?

 

[LloydSev]

I believe that if it is ftps that the fixup entry won't work.

Computer/Network Technician
CCNA

 

[themut]

From yor config:

fixup protocol ftp 21
fixup protocol ftp 10020
fixup protocol ftp 10021
access-list outside_in permit tcp any host ftpserver object-group webconn-no-1364
object-group service webconn tcp
description ports needed to connnect to ftp_server
port-object eq ftp
port-object eq ftp-data
port-object eq 1021
port-object eq www
port-object eq 8080
port-object eq https
port-object eq 1364
port-object eq 1020
port-object range 32431 32461

As you can see you have enabled the fixups for ports 10020 and 10021 but on the access list you haven't opened these ports... you opened 1020 and 1021 instead

 

[DreamPowered]

Oops that was a typo on my part.
Everything is 10021 and 10020 for the data. I removed the fixup on 10020 because that was in error..

 

[themut]

Are you using secure FTP for 10021?

 

[DreamPowered]

Yes, everything works fine from the inside.
Ftp active, passive, ssl

On the outside, active does not work, ssl works but it displays the internal ip, and every once in a while passive does not work. Getting errors that data channel could not be established.