Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX can not deal with FTP onnon-standard ports

Status
Not open for further replies.

TamerAhmed

Technical User
Sep 11, 2006
19
EU
Hi

i have a problem with my PIX in dealing with ftp at different non-standradr port ( e.g 2121). I opened for the client this port and he configured his IIS ( Microsoft correctly no doubt about that). So once i connect to that server on that port ftp://IP:2121 the connection is up through the PIX using show conn | include <ip-address> UIOB, but the data connection can not be opened!!. I also removed from the global policy map the strict feature of this command inspect ftp strict, but i got the same!!. Soi ho do u think i can solve this problem?
 
I believe, someone please correct me if I am wrong, you need to use the following command on the PIX,

fixup protocol ftp 2121

By default the fixup protocol for ftp is port 21.

Hope this helps.

Jim W MCSE CCNA
Network Manager
 
sir,
First my OS is 7.2 not 6.x, second i don't want to globally modify the default behaviour of the PIX for its special handling to FTP traffic ( i.e for only specific client FTP traffic). Third why with using show conn i found that the connection is UIOB ( UP,Inbound traffic,Outbound traffic) , but actaully the data channel was not established. Finally if one standard active FTP control port is on 21 and data on 20, what is the ports used if i used non-standard port ( e.g 2121 control, then which port will be the data port)
 
Are you connecting from inside your pix to their external ftp server? Are you using Active or Passive FTP?

The fixup command still works on 7x code. It just translates it into the global inspect policy. You can add a fixup for a protocol on another port adds that to policy, not replaces it. So adding globally isn't a problem. If you really want to be specific, you can use the inspect policy with ACLs for granular control.



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Hi,

Thank you for your help.I already solved it, i just was confused as i thought at the begining changing from global configuration mode the default inspection for FTP service would change globally the whole inspection process plus replacing it with the new policy not adding to this policy ( i.e you may inspect FTP service on more than one port). This was my problem

Again Thanks for help
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top