On Mon, Jan 26 2004 9:20 pm, user "Didier" posted the following message..... >I'm using ip inspect with access-lists. I would like to allow only passiv ftp. > >Client is 10.0.39.179 >Server is: 192.168.58.4 (hosting anonymous ftp server) > >When client try to connect to the server I get the following error: >22:16:50: %FW-6-SESS_AUDIT_TRAIL: ftp session initiator (10.0.39.179:1683) >sent 140 bytes -- responder (192.168.58.4:21) sent 1574 bytes >22:16:50: %FW-3-FTP_SESSION_NOT_AUTHENTICATED: Command issued before the >session is authenticated -- FTP client 10.0.39.179 FTP server 192.168.58.4 >22:16:51: %SEC-6-IPACCESSLOGP: list 101 denied tcp 10.0.39.179(1706) >(Ethernet0 000c.85c9.e300) -> 192.168.58.4(64819), 1 packet > >What can I do to the solve the problem? > >Authenticated user where able to login! Now that I only allow anonymous >users, the connection cannot be established?! No replies were posted to this message. Having just struggled and subsequently solved this problem at our site, I thought it worthwhile sharing the solution here. The config for the FTP server in our DMZ contained an option (no_anon_password) to prevent the server from asking for a password when the anonymous user logs on. (i.e. the anonymous user will log straight in.) However, the Cisco Firewall IOS relies on the fact that a password is provided by the client in order to satisfy its "ip inspect" rule for ftp. As far as the Cisco firewall is concerned, the FTP session *must* be password authenticated with the FTP server before further packets can be exchanged. Therefore, ensure that the FTP (vsftpd) server config contains "no_anon_password=no" to overcome this problem.