FTP to a Secure site

[flaz]

I have a client with a PIX 501 6.3 OS and can't FTP to our secure site on port 991. We opened these ports on this PIX but it still fails. From a desktop there I can FTP to port 21 without issues but not 991. But from a desktop I can type in "Telnet xxx.xxx.xxx.xxx 991" and get a return but when FTP'ing it can't find it.
Any ideas?

 

[Joniels]

How does the access-list look like?

 

[pelirroja]

time to read about fixup protocol ftp.
standard ftp on a non standard port wont be easy to get working. if it was on a standard port, the fixup protocol ftp would help you. you can try using passive ftp and open the other port which is usually 1024, but you might want to look that up as well.

 

[chicocouk]

Well you're nearly there, but getting standard ftp to work on a non-standard port is actually very easy. That's exactly what the fixup protocol ftp command does.

It tells the pix to expect ftp traffic to initiate on a certain port, and also to anticipate data coming back on random high number port from that destination, so the pix dynamically opens that high number port when required. To get this to work you just need to enter the following into your config;

fixup protocol ftp 991

More detail about fixup commands is here

http://www.cisco.com/en/US/products...erence_chapter09186a00801727a8.html#wp1067379

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[flaz]

Here are my config's I already have these commands in. Sorry, it's kind of long
Please take a look and let me know where aI went wrong.
Thanks
Fred
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 991
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service TCP-OUT tcp
port-object eq telnet
port-object eq www
port-object eq domain
port-object eq https
port-object eq ftp
object-group service UDP-OUT udp
port-object eq domain
port-object eq ntp
object-group service udp-out udp
access-list inside_access_in permit tcp any any object-group TCP-OUT
access-list inside_access_in permit udp any any object-group UDP-OUT
access-list inside_outbound_nat0_acl permit ip any xxx.xxx.xxx.xxx 255.255.255.224
access-list inside_outbound_nat0_acl permit ip any xxx.xxx.xxx.xxx 255.255.255.224
access-list outside_cryptomap_dyn_20 permit ip any xxx.xxx.xxx.xxx 255.255.255.224
access-list outside_cryptomap_dyn_40 permit ip any xxx.xxx.xxx.xxx 255.255.255.224
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.248
ip address inside xxx.xxx.xxx.xxx 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-vpn xxx.xxx.xxx.xxx
ip local pool ipsec-vpn xxx.xxx.xxx.xxx
pdm location 0.0.0.0 0.0.0.0 inside
pdm location xxx.xxx.xxx.xxx 255.255.255.0 inside
pdm location xxx.xxx.xxx.xxx 255.255.255.224 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inside_access_in in interface inside
conduit permit tcp host xxx.xxx.xxx.xxx eq ftp-data any
conduit permit tcp host xxx.xxx.xxx.xxx eq ftp any
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup ipsec-vpn address-pool ipsec-vpn
vpngroup ipsec-vpn dns-server xxx.xxx.xxx.xxx
vpngroup ipsec-vpn default-domain XXX
vpngroup ipsec-vpn idle-time 1800
vpngroup ipsec-vpn password ********
vpngroup ssimedVPN address-pool ipsec-vpn
vpngroup ssimedVPN dns-server xxx.xxx.xxx.xxx
vpngroup ssimedVPN default-domain XXX
vpngroup ssimedVPN idle-time 1800
vpngroup ssimedVPN password ********
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto
vpdn group PPTP-VPDN-GROUP client configuration address local pptp-vpn
vpdn group PPTP-VPDN-GROUP client configuration dns xxx.xxx.xxx.xxx
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username YYY password ********
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80

 

[chicocouk]

Well you've got an access-list bound to the inside interface of your pix (called "inside_access_in") that only allows out telnet (to port 23), http, https, ftp and dns traffic. So it block traffic going out to port 991.

How you manage to telnet to the remote destination on port 991 is beyond me. The access list should block you. I can only assume that you're actually telnetting to port 23 rather than 991.

That notwithstanding, it should be easy enough to sort it out, you just need to allow traffic out through that access list to port 991. As your access list is defined to use the group of ports you set up in an object group called "TCP-OUT", you need to add port 991 to that object-group, as follows;

object-group service TCP-OUT tcp
port-object eq 991


Chico


CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[flaz]

I'll try that next.

 

[flaz]

Added the commands, My telnet test worked. But a quick test failed.
I always use the command line to set up my PIX. This was done by another vendor with PDM.
This client is going to drive me crazy!
Fred

 

[chicocouk]

Okay, been making some assumptions up till now, so better check what i think is going on is right;

You're ftp-ing from an internal host to an ftp server off the outside interface, right?

If you ftp to it on port 991 without the pix in the way (ie, from a public ip), you can connect now problem? It's only when you try to connect through the pix there's a problem?

Despite the fact that there was previously an access list on the inside interface that blocked you telnetting to port 991, you could telnet to port 991? Can you explain how that might occur?



To be honest, the config now looks like it should work. The only other thing I'd do would be remove the conduit statements, as you shouldn't mix access-list and conduit statements.

Just issue a clear conduit, then a clear xlate.

After that, I think i'm probably out of ideas ....



CCNA, CCSA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[flaz]

Maybe I missled. When i say I can Telnet, it's from a desktop behind the PIX. Not from the PIX.
It could be the Access-list and Conduits causing the issues.
I will remove the Conduits and see if that fixes the issue.
Thanks for all you help.
Fred