Discussion in 'Cisco' started by nbj, Aug 25, 2006.

  1. nbj

    nbj Guest

    On Mon, Jan 26 2004 9:20 pm, user "Didier" posted the following

    >I'm using ip inspect with access-lists. I would like to allow only passiv ftp.
    >Client is
    >Server is: (hosting anonymous ftp server)
    >When client try to connect to the server I get the following error:
    >22:16:50: %FW-6-SESS_AUDIT_TRAIL: ftp session initiator (
    >sent 140 bytes -- responder ( sent 1574 bytes
    >22:16:50: %FW-3-FTP_SESSION_NOT_AUTHENTICATED: Command issued before the
    >session is authenticated -- FTP client FTP server
    >22:16:51: %SEC-6-IPACCESSLOGP: list 101 denied tcp
    >(Ethernet0 000c.85c9.e300) ->, 1 packet
    >What can I do to the solve the problem?
    >Authenticated user where able to login! Now that I only allow anonymous
    >users, the connection cannot be established?!

    No replies were posted to this message.
    Having just struggled and subsequently solved this problem at our site,
    I thought it worthwhile sharing the solution here. :)

    The config for the FTP server in our DMZ contained an option
    (no_anon_password) to prevent the server from asking for a password
    when the anonymous user logs on. (i.e. the anonymous user will log
    straight in.)

    However, the Cisco Firewall IOS relies on the fact that a password is
    provided by the client in order to satisfy its "ip inspect" rule for
    ftp. As far as the Cisco firewall is concerned, the FTP session *must*
    be password authenticated with the FTP server before further packets
    can be exchanged.

    Therefore, ensure that the FTP (vsftpd) server config contains
    "no_anon_password=no" to overcome this problem.
    nbj, Aug 25, 2006
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.