Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Microsoft FTP behind Cisco PIX

Reply
Thread Tools

Microsoft FTP behind Cisco PIX

 
 
#
Guest
Posts: n/a
 
      01-07-2004
Hi,

Our cisco PIX firewall connection allows persons to log into the FTP servers
inside our network (connections from outside) on ports 21 and 1021 (two
servers)

However, when attempting to do a DIR , port 1021 simply hangs yet port 21
works.

Have done a fixup on both port numbers, traffic is obviously ok cos I can
get the login box etc on both servers.

What obvious thing have I missed this time?

Ta

Fat


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      01-07-2004
In article <pRVKb.9034$(E-Mail Removed)>,
# <(E-Mail Removed)> wrote:
:Our cisco PIX firewall connection allows persons to log into the FTP servers
:inside our network (connections from outside) on ports 21 and 1021 (two
:servers)

:However, when attempting to do a DIR , port 1021 simply hangs yet port 21
:works.

:Have done a fixup on both port numbers, traffic is obviously ok cos I can
:get the login box etc on both servers.

:What obvious thing have I missed this time?

You have missed that port 21 is only for control connections.
Doing a 'dir' involves a data connection, which requires port 20.
If you re-examine your ACL for the port 21 ('ftp') connection,
you will find you have also opened port 20 ('ftp-data')

The ftp standard says that the data connection is always one lower
than the control connection, so what you need to do is open
the port before 1021 (i.e., 1020) to the second server.
--
Beware of bugs in the above code; I have only proved it correct,
not tried it. -- Donald Knuth
 
Reply With Quote
 
 
 
 
Fatman Superstar
Guest
Posts: n/a
 
      01-07-2004
Didnt have port 20 open before but worked fine on port 21.

Have opened port 20 and tried various combos of fixup on 20, 21, 1020 and
1021 and still the same.

Thanks for your help, any further advice greatly appreciated.

Thanks

AJ

"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:bthack$ib8$(E-Mail Removed)...
> In article <pRVKb.9034$(E-Mail Removed)>,
> # <(E-Mail Removed)> wrote:
> :Our cisco PIX firewall connection allows persons to log into the FTP

servers
> :inside our network (connections from outside) on ports 21 and 1021 (two
> :servers)
>
> :However, when attempting to do a DIR , port 1021 simply hangs yet port 21
> :works.
>
> :Have done a fixup on both port numbers, traffic is obviously ok cos I can
> :get the login box etc on both servers.
>
> :What obvious thing have I missed this time?
>
> You have missed that port 21 is only for control connections.
> Doing a 'dir' involves a data connection, which requires port 20.
> If you re-examine your ACL for the port 21 ('ftp') connection,
> you will find you have also opened port 20 ('ftp-data')
>
> The ftp standard says that the data connection is always one lower
> than the control connection, so what you need to do is open
> the port before 1021 (i.e., 1020) to the second server.
> --
> Beware of bugs in the above code; I have only proved it correct,
> not tried it. -- Donald Knuth



 
Reply With Quote
 
Rik Bain
Guest
Posts: n/a
 
      01-07-2004
On Wed, 07 Jan 2004 14:01:03 -0600, Fatman Superstar wrote:

> Didnt have port 20 open before but worked fine on port 21.
>
> Have opened port 20 and tried various combos of fixup on 20, 21, 1020
> and 1021 and still the same.
>
> Thanks for your help, any further advice greatly appreciated.
>
> Thanks
>
> AJ
>


Should not need to open TCP/20 if using the fixup. The fixup will open
it if needed, plus that connection will be from the inside out if using
active FTP.

Really need to look at the logs. Also, is this FTP
server the same as the one that works on TCP/21, meaning same version of
OS, FTP service, etc.

Rik Bain
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      01-07-2004
In article <(E-Mail Removed) g>,
Rik Bain <(E-Mail Removed)> wrote:
:Should not need to open TCP/20 if using the fixup

That leads to an interesting point: has the original poster done
a fixup protocol ftp 1021 ?
--
Is "meme" descriptive or perscriptive? Does the knowledge that
memes exist not subtly encourage the creation of more memes?
-- A Child's Garden Of Memes
 
Reply With Quote
 
Fatman Superstar
Guest
Posts: n/a
 
      01-07-2004
Its a MS IIS ftp server. I change the port to be either 21 or 1021 and it
only runs on 21.

Cheers

AJ
"Rik Bain" <(E-Mail Removed)> wrote in message
news(E-Mail Removed) z.org...
> On Wed, 07 Jan 2004 14:01:03 -0600, Fatman Superstar wrote:
>
> > Didnt have port 20 open before but worked fine on port 21.
> >
> > Have opened port 20 and tried various combos of fixup on 20, 21, 1020
> > and 1021 and still the same.
> >
> > Thanks for your help, any further advice greatly appreciated.
> >
> > Thanks
> >
> > AJ
> >

>
> Should not need to open TCP/20 if using the fixup. The fixup will open
> it if needed, plus that connection will be from the inside out if using
> active FTP.
>
> Really need to look at the logs. Also, is this FTP
> server the same as the one that works on TCP/21, meaning same version of
> OS, FTP service, etc.
>
> Rik Bain



 
Reply With Quote
 
Fatman Superstar
Guest
Posts: n/a
 
      01-07-2004
Yes it has (sorry, I am mr #)


"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:bthqvk$pjh$(E-Mail Removed)...
> In article <(E-Mail Removed) g>,
> Rik Bain <(E-Mail Removed)> wrote:
> :Should not need to open TCP/20 if using the fixup
>
> That leads to an interesting point: has the original poster done
> a fixup protocol ftp 1021 ?
> --
> Is "meme" descriptive or perscriptive? Does the knowledge that
> memes exist not subtly encourage the creation of more memes?
> -- A Child's Garden Of Memes



 
Reply With Quote
 
Rik Bain
Guest
Posts: n/a
 
      01-07-2004
On Wed, 07 Jan 2004 15:12:15 -0600, Fatman Superstar wrote:

> Its a MS IIS ftp server. I change the port to be either 21 or 1021 and
> it only runs on 21.
>
> Cheers
>
> AJ



OK, so you did test it internally to make sure it does in fact work on
port 1021, right?

Do you have an access-list applied to the interface the server hangs off
of (not outside, but internal interface)?

Is the translation from the server to the outside a 1-to-1 or static PAT?
Should work with either, but fnd out anyway.

Also, what version of pix code?


Might want to enable logging and have a look there, pix is pretty good
about letting you know if it is blocking traffic, or denying it for some
other reason.



Rik Bain
 
Reply With Quote
 
Fatman Superstar
Guest
Posts: n/a
 
      01-07-2004
> OK, so you did test it internally to make sure it does in fact work on
> port 1021, right?


Correct, the DIR works internally on both ports, the problem occurs past the
PIX.

>
> Do you have an access-list applied to the interface the server hangs off
> of (not outside, but internal interface)?


Yes, permit TCP 20, 21, 1020, 1021 from selected outside to inside host.

>
> Is the translation from the server to the outside a 1-to-1 or static PAT?
> Should work with either, but fnd out anyway.
>


static(inside,outside) command.

> Also, what version of pix code?


6.3(3).

>Logging


Denied a few ACK and SYN's.

Thanks again for any information.

Ta

AJ




 
Reply With Quote
 
Ron Bandes
Guest
Posts: n/a
 
      01-07-2004
Right; you must let fixup take care of the data connection because the
standard does NOT say that the data connection's server-port must be one
less than the control connection's port. It is only recommended to be so.
I have seen an implementation of FTP that doesn't follow this
recommendation, and it works fine.

Ron Bandes
CTT, CCNP, etc.

"Rik Bain" <(E-Mail Removed)> wrote in message
news(E-Mail Removed) z.org...
> On Wed, 07 Jan 2004 14:01:03 -0600, Fatman Superstar wrote:
>
> > Didnt have port 20 open before but worked fine on port 21.
> >
> > Have opened port 20 and tried various combos of fixup on 20, 21, 1020
> > and 1021 and still the same.
> >
> > Thanks for your help, any further advice greatly appreciated.
> >
> > Thanks
> >
> > AJ
> >

>
> Should not need to open TCP/20 if using the fixup. The fixup will open
> it if needed, plus that connection will be from the inside out if using
> active FTP.
>
> Really need to look at the logs. Also, is this FTP
> server the same as the one that works on TCP/21, meaning same version of
> OS, FTP service, etc.
>
> Rik Bain



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola MCSE 4 11-15-2006 02:40 AM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd loyola Microsoft Certification 3 11-14-2006 05:18 PM
microsoft.public.certification, microsoft.public.cert.exam.mcsa, microsoft.public.cert.exam.mcad, microsoft.public.cert.exam.mcse, microsoft.public.cert.exam.mcsd realexxams@yahoo.com Microsoft Certification 0 05-10-2006 02:35 PM
microsoft.public.dotnet.faqs,microsoft.public.dotnet.framework,microsoft.public.dotnet.framework.windowsforms,microsoft.public.dotnet.general,microsoft.public.dotnet.languages.vb Charles A. Lackman ASP .Net 1 12-08-2004 07:08 PM
Client behind Linksys Router/FTP Server behind PIX Corbin O'Reilly Cisco 2 05-26-2004 02:58 AM



Advertisments