«

On Mon, Jan 26 2004 9:20 pm, user "Didier" posted the following
message.....

>I'm using ip inspect with access-lists. I would like to allow only passiv ftp.
>
>Client is 10.0.39.179
>Server is: 192.168.58.4 (hosting anonymous ftp server)
>
>When client try to connect to the server I get the following error:
>22:16:50: %FW-6-SESS_AUDIT_TRAIL: ftp session initiator (10.0.39.179:1683)
>sent 140 bytes -- responder (192.168.58.4:21) sent 1574 bytes
>22:16:50: %FW-3-FTP_SESSION_NOT_AUTHENTICATED: Command issued before the
>session is authenticated -- FTP client 10.0.39.179 FTP server 192.168.58.4
>22:16:51: %SEC-6-IPACCESSLOGP: list 101 denied tcp 10.0.39.179(1706)
>(Ethernet0 000c.85c9.e300) -> 192.168.58.4(64819), 1 packet
>
>What can I do to the solve the problem?
>
>Authenticated user where able to login! Now that I only allow anonymous
>users, the connection cannot be established?!

No replies were posted to this message.
Having just struggled and subsequently solved this problem at our site,
I thought it worthwhile sharing the solution here.

The config for the FTP server in our DMZ contained an option
(no_anon_password) to prevent the server from asking for a password
when the anonymous user logs on. (i.e. the anonymous user will log
straight in.)

However, the Cisco Firewall IOS relies on the fact that a password is
provided by the client in order to satisfy its "ip inspect" rule for
ftp. As far as the Cisco firewall is concerned, the FTP session *must*
be password authenticated with the FTP server before further packets
can be exchanged.

Therefore, ensure that the FTP (vsftpd) server config contains
"no_anon_password=no" to overcome this problem.