Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Workaround for Active FTP (nat to nat)

Status
Not open for further replies.
Hagfish

Hagfish

MIS
Jan 20, 2005
88
US
We recently set up our pix firewall and put several servers behind it including a dmz webserver (30.30.30.x) Now that we've done this, one of our customers can no longer get a directory listing on our ftp site as they have passive ftp disabled on their firewall that is also natting their workstations. Is there anything that I can change on my pix configuration that will allow them to get in with Port ftp or are they just going to have to find a way to enable passive ftp on their side? Thanks!

--hag
 
Sort by date Sort by votes
Assuming they can connect to the FTP server, all you need on the PIX is make sure "fixup protocol ftp" is enabled. If not, then issue the command:

fixup protocol ftp 21

If your FTP server listens on a non standard port then you need to enable your port with the fixup protcol:

fixup protocol ftp <non-standard port>
 
Upvote 0 Downvote
The "fixup protocol ftp 21" is already there. They can connect to the ftp but the directory listing times out because they can't use passive ftp. They're using port. Any other ideas?
 
Upvote 0 Downvote
On the PIX all you need are the following statements:

1) ACL allowing traffic on TCP port 21 (it is ok since they can connect).
2) A static translation for the FTP server (it is ok since they can connect).
3) fixup protocol ftp should be enabled (it is there).

The configuration on the PIX sounds good. Looks to me like the problem is on the application and not on the PIX.
 
Upvote 0 Downvote
Is it mandatory for clients that are trying to connect through their own firewall to use PASV when connecting to mine? Or is it still possible to use Port.. as it is right now I can only use passive from firewall to firewall ftp. And unfortunately, our client has passive ftp blocked.
 
Upvote 0 Downvote
We ended up having the network admin on the client side make some changes to their router to get it to work.
 
Upvote 0 Downvote
I had the same situation and read other post, the suggested to have "no fixup protocol ftp" worked for me. Give it a try and let us know.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
289
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
304
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
329
intel233
intel233
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
256
XLNTech1
XLNTech1
steve777777
  • Locked
  • Question
Cisco ASA VPN+NAT
Replies
0
Views
73
steve777777
steve777777

Part and Inventory Search

Sponsor

Back
Top