Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Inbound FTP using PAT

Status
Not open for further replies.
heyburt

heyburt

Technical User
Jan 6, 2003
6
NZ
We have a PIX 515 here v6.2(2). We're using PAT to decide which internal server to go depending on which service is requested: e.g.
static (inside,outside) tcp 2.2.2.138 6869 1.1.1.139 6869 netmask 255.255.255.255 0 0
static (dmz,outside) tcp 2.2.2.138 ftp 1.1.1.21 ftp netmask 255.255.255.255 0 0
static (dmz,outside) tcp 2.2.2.138 255.255.255.255 0 0

We have recently migrated our customer's (X) firewall from a Watchguard to the PIX. Before the migration, X's client's could FTP to the Watchguard using similar to above NATing. Now when those client's are coming from another firewall, they can connect but as soon as the password is accepted, it locks up. The logs show the following:

%PIX-6-302013: Built inbound TCP connection 161567 for outside:y.y.y.9/58069 (y.y.y.9/58069) to dmz:x.x.x.89/21 (2.2.2.138/21)
%PIX-6-302013: Built inbound TCP connection 161568 for outside:y.y.y.9/58070 (y.y.y.9/58070) to dmz:x.x.x.89/20 (2.2.2.138/1379)

Can anyone please explain the second line to me. I understand a DATA port (20) is opened up but why the 1379 allocated to the global address and could this be causing the lock up?

Thanks heaps for any assistance.
 
Sort by date Sort by votes
HI.

Try to add this line at the server side pix:
static (dmz,outside) tcp 2.2.2.138 20 1.1.1.21 20

Does it help?

Instruct the remote client to use different FTP clients, such as (assuming the client runs MS Windows):
3rd party
Internet Explorer
FTP from the command line

When using 3rd party FTP client - try with different FTP modes, such as Standard and PASV and check the results.

Did you consider using different IP addresses for each server instead of PAT?

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
The only thing that worked was changing the IP address of the server which had a PAT, 2.2.2.138, to a NAT instead. Problem went away. This was only a problem between site-to-site VPN's between FW's using PAT on both sides, from what I can see. I tried all the other things before, none of those worked. Thanks anyhow.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pbxnkey
  • Locked
  • Question
Cisco ASA VPN using Windows Client-Error 691
Replies
1
Views
107
pbxnkey
pbxnkey
mmjam
  • Locked
  • Question
Sonicwall FTP problem
Replies
4
Views
132
joepc
joepc
galvanize
  • Locked
  • Question
FTP Deployment (DMZ)
Replies
1
Views
67
galvanize
galvanize
tecky715
  • Locked
  • Question
SonicWall FTP
Replies
0
Views
48
tecky715
tecky715
nosebreaker
  • Locked
  • Question
8.4 PAT/NAT question
Replies
1
Views
56
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top