Client behind Linksys Router/FTP Server behind PIX

Discussion in 'Cisco' started by Corbin O'Reilly, May 25, 2004.

  1. Hi everyone. I am having a strange problem. I have an FTP server(running on
    port 8821) behind a PIX that is translated from a public address to a
    private address.

    Example:

    static (inside,outside) 205.152.0.8 10.1.4.278 netmask 255.255.255.255 0 0

    conduit permit tcp host 205.152.0.8 eq 8821 any

    If I dial-up to the internet with Earthlink and connect to 205.152.0.8 it
    works. If I connect from my home computer which is behind a Linksys DSL
    router it does not work. I suspect that this is some kind of NAT issue
    because when I used WSFTP Pro from behind the Linksys I see my home
    computer's internal IP address 192.168.1.8 referenced. Since the dial-up
    connection was a true public address and the DSL was through a router I
    think NAT definitely has something to do with it. The problem is I don't
    know if the problem lies with the PIX 515 or the Linksys DSL router. I would
    appreciate any help. Thanks.
    Corbin O'Reilly, May 25, 2004
    #1
    1. Advertising

  2. In article <dOMsc.3051$>,
    Corbin O'Reilly <> wrote:
    :Hi everyone. I am having a strange problem. I have an FTP server(running on
    :port 8821) behind a PIX that is translated from a public address to a
    :private address.

    :static (inside,outside) 205.152.0.8 10.1.4.278 netmask 255.255.255.255 0 0

    :conduit permit tcp host 205.152.0.8 eq 8821 any

    :The problem is I don't
    :know if the problem lies with the PIX 515 or the Linksys DSL router.

    Are you running PIX 4.4 software? If so, then you have to hope that
    someone remembers back that far.

    If you are running PIX 5.0 or later, then it's time for you to
    convert from conduits to access-lists. Conduits will not be supported
    in the next PIX software release.

    My personal policy is to not even -try- to debug configurations
    with conduits in them: Cisco has been saying for years that
    they don't promise that conduits work any more, and I don't consider
    it productive to try to debug something that might a known system
    problem.
    --
    Scintillate, scintillate, globule vivific
    Fain would I fathom thy nature specific.
    Loftily poised on ether capacious
    Strongly resembling a gem carbonaceous. -- Anon
    Walter Roberson, May 25, 2004
    #2
    1. Advertising

  3. Okay. I was able to get this to work via PASV. I had to add the following
    line to my PIX 515 6.3(3) config: FIXUP PROTOCOL FTP 8821. Now I can access
    the FTP Server from behind my Linksys Router when I configure WSFTP Pro to
    be Passive. Non-Passive/Port/Active still does not work. I think I
    understand why now. He is a quote from a tech "Various internet protocols
    break with a vanilla NAT implementation. FTP for example, will operate in
    two modes, passive and active. NAT does not support active mode FTP, so
    clients must be found that will operate in passive mode." I guess this tells
    me that since my Linksys is doing NAT, Active FTP will never work. If anyone
    knows a way to get Active FTP to work please let me know. Thanks.

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:c906l6$9ch$...
    > In article <dOMsc.3051$>,
    > Corbin O'Reilly <> wrote:
    > :Hi everyone. I am having a strange problem. I have an FTP server(running

    on
    > :port 8821) behind a PIX that is translated from a public address to a
    > :private address.
    >
    > :static (inside,outside) 205.152.0.8 10.1.4.278 netmask 255.255.255.255 0

    0
    >
    > :conduit permit tcp host 205.152.0.8 eq 8821 any
    >
    > :The problem is I don't
    > :know if the problem lies with the PIX 515 or the Linksys DSL router.
    >
    > Are you running PIX 4.4 software? If so, then you have to hope that
    > someone remembers back that far.
    >
    > If you are running PIX 5.0 or later, then it's time for you to
    > convert from conduits to access-lists. Conduits will not be supported
    > in the next PIX software release.
    >
    > My personal policy is to not even -try- to debug configurations
    > with conduits in them: Cisco has been saying for years that
    > they don't promise that conduits work any more, and I don't consider
    > it productive to try to debug something that might a known system
    > problem.
    > --
    > Scintillate, scintillate, globule vivific
    > Fain would I fathom thy nature specific.
    > Loftily poised on ether capacious
    > Strongly resembling a gem carbonaceous. -- Anon
    Corbin O'Reilly, May 26, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Colin
    Replies:
    0
    Views:
    712
    Colin
    Jun 14, 2005
  2. spencerwill.com
    Replies:
    2
    Views:
    4,197
    Peter
    May 26, 2005
  3. jamdatadude
    Replies:
    3
    Views:
    561
  4. cisco
    Replies:
    3
    Views:
    367
    Martin Bilgrav
    Feb 21, 2007
  5. Replies:
    1
    Views:
    403
    Lutz Donnerhacke
    Sep 13, 2007
Loading...

Share This Page