Microsoft FTP behind Cisco PIX

Discussion in 'Cisco' started by #, Jan 7, 2004.

  1. #

    # Guest

    Hi,

    Our cisco PIX firewall connection allows persons to log into the FTP servers
    inside our network (connections from outside) on ports 21 and 1021 (two
    servers)

    However, when attempting to do a DIR , port 1021 simply hangs yet port 21
    works.

    Have done a fixup on both port numbers, traffic is obviously ok cos I can
    get the login box etc on both servers.

    What obvious thing have I missed this time?

    Ta

    Fat
     
    #, Jan 7, 2004
    #1
    1. Advertising

  2. In article <pRVKb.9034$>,
    # <> wrote:
    :Our cisco PIX firewall connection allows persons to log into the FTP servers
    :inside our network (connections from outside) on ports 21 and 1021 (two
    :servers)

    :However, when attempting to do a DIR , port 1021 simply hangs yet port 21
    :works.

    :Have done a fixup on both port numbers, traffic is obviously ok cos I can
    :get the login box etc on both servers.

    :What obvious thing have I missed this time?

    You have missed that port 21 is only for control connections.
    Doing a 'dir' involves a data connection, which requires port 20.
    If you re-examine your ACL for the port 21 ('ftp') connection,
    you will find you have also opened port 20 ('ftp-data')

    The ftp standard says that the data connection is always one lower
    than the control connection, so what you need to do is open
    the port before 1021 (i.e., 1020) to the second server.
    --
    Beware of bugs in the above code; I have only proved it correct,
    not tried it. -- Donald Knuth
     
    Walter Roberson, Jan 7, 2004
    #2
    1. Advertising

  3. Didnt have port 20 open before but worked fine on port 21.

    Have opened port 20 and tried various combos of fixup on 20, 21, 1020 and
    1021 and still the same.

    Thanks for your help, any further advice greatly appreciated.

    Thanks

    AJ

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:bthack$ib8$...
    > In article <pRVKb.9034$>,
    > # <> wrote:
    > :Our cisco PIX firewall connection allows persons to log into the FTP

    servers
    > :inside our network (connections from outside) on ports 21 and 1021 (two
    > :servers)
    >
    > :However, when attempting to do a DIR , port 1021 simply hangs yet port 21
    > :works.
    >
    > :Have done a fixup on both port numbers, traffic is obviously ok cos I can
    > :get the login box etc on both servers.
    >
    > :What obvious thing have I missed this time?
    >
    > You have missed that port 21 is only for control connections.
    > Doing a 'dir' involves a data connection, which requires port 20.
    > If you re-examine your ACL for the port 21 ('ftp') connection,
    > you will find you have also opened port 20 ('ftp-data')
    >
    > The ftp standard says that the data connection is always one lower
    > than the control connection, so what you need to do is open
    > the port before 1021 (i.e., 1020) to the second server.
    > --
    > Beware of bugs in the above code; I have only proved it correct,
    > not tried it. -- Donald Knuth
     
    Fatman Superstar, Jan 7, 2004
    #3
  4. #

    Rik Bain Guest

    On Wed, 07 Jan 2004 14:01:03 -0600, Fatman Superstar wrote:

    > Didnt have port 20 open before but worked fine on port 21.
    >
    > Have opened port 20 and tried various combos of fixup on 20, 21, 1020
    > and 1021 and still the same.
    >
    > Thanks for your help, any further advice greatly appreciated.
    >
    > Thanks
    >
    > AJ
    >


    Should not need to open TCP/20 if using the fixup. The fixup will open
    it if needed, plus that connection will be from the inside out if using
    active FTP.

    Really need to look at the logs. Also, is this FTP
    server the same as the one that works on TCP/21, meaning same version of
    OS, FTP service, etc.

    Rik Bain
     
    Rik Bain, Jan 7, 2004
    #4
  5. In article <>,
    Rik Bain <> wrote:
    :Should not need to open TCP/20 if using the fixup

    That leads to an interesting point: has the original poster done
    a fixup protocol ftp 1021 ?
    --
    Is "meme" descriptive or perscriptive? Does the knowledge that
    memes exist not subtly encourage the creation of more memes?
    -- A Child's Garden Of Memes
     
    Walter Roberson, Jan 7, 2004
    #5
  6. Its a MS IIS ftp server. I change the port to be either 21 or 1021 and it
    only runs on 21.

    Cheers

    AJ
    "Rik Bain" <> wrote in message
    news:p...
    > On Wed, 07 Jan 2004 14:01:03 -0600, Fatman Superstar wrote:
    >
    > > Didnt have port 20 open before but worked fine on port 21.
    > >
    > > Have opened port 20 and tried various combos of fixup on 20, 21, 1020
    > > and 1021 and still the same.
    > >
    > > Thanks for your help, any further advice greatly appreciated.
    > >
    > > Thanks
    > >
    > > AJ
    > >

    >
    > Should not need to open TCP/20 if using the fixup. The fixup will open
    > it if needed, plus that connection will be from the inside out if using
    > active FTP.
    >
    > Really need to look at the logs. Also, is this FTP
    > server the same as the one that works on TCP/21, meaning same version of
    > OS, FTP service, etc.
    >
    > Rik Bain
     
    Fatman Superstar, Jan 7, 2004
    #6
  7. Yes it has (sorry, I am mr #)


    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:bthqvk$pjh$...
    > In article <>,
    > Rik Bain <> wrote:
    > :Should not need to open TCP/20 if using the fixup
    >
    > That leads to an interesting point: has the original poster done
    > a fixup protocol ftp 1021 ?
    > --
    > Is "meme" descriptive or perscriptive? Does the knowledge that
    > memes exist not subtly encourage the creation of more memes?
    > -- A Child's Garden Of Memes
     
    Fatman Superstar, Jan 7, 2004
    #7
  8. #

    Rik Bain Guest

    On Wed, 07 Jan 2004 15:12:15 -0600, Fatman Superstar wrote:

    > Its a MS IIS ftp server. I change the port to be either 21 or 1021 and
    > it only runs on 21.
    >
    > Cheers
    >
    > AJ



    OK, so you did test it internally to make sure it does in fact work on
    port 1021, right?

    Do you have an access-list applied to the interface the server hangs off
    of (not outside, but internal interface)?

    Is the translation from the server to the outside a 1-to-1 or static PAT?
    Should work with either, but fnd out anyway.

    Also, what version of pix code?


    Might want to enable logging and have a look there, pix is pretty good
    about letting you know if it is blocking traffic, or denying it for some
    other reason.



    Rik Bain
     
    Rik Bain, Jan 7, 2004
    #8
  9. > OK, so you did test it internally to make sure it does in fact work on
    > port 1021, right?


    Correct, the DIR works internally on both ports, the problem occurs past the
    PIX.

    >
    > Do you have an access-list applied to the interface the server hangs off
    > of (not outside, but internal interface)?


    Yes, permit TCP 20, 21, 1020, 1021 from selected outside to inside host.

    >
    > Is the translation from the server to the outside a 1-to-1 or static PAT?
    > Should work with either, but fnd out anyway.
    >


    static(inside,outside) command.

    > Also, what version of pix code?


    6.3(3).

    >Logging


    Denied a few ACK and SYN's.

    Thanks again for any information.

    Ta

    AJ
     
    Fatman Superstar, Jan 7, 2004
    #9
  10. #

    Ron Bandes Guest

    Right; you must let fixup take care of the data connection because the
    standard does NOT say that the data connection's server-port must be one
    less than the control connection's port. It is only recommended to be so.
    I have seen an implementation of FTP that doesn't follow this
    recommendation, and it works fine.

    Ron Bandes
    CTT, CCNP, etc.

    "Rik Bain" <> wrote in message
    news:p...
    > On Wed, 07 Jan 2004 14:01:03 -0600, Fatman Superstar wrote:
    >
    > > Didnt have port 20 open before but worked fine on port 21.
    > >
    > > Have opened port 20 and tried various combos of fixup on 20, 21, 1020
    > > and 1021 and still the same.
    > >
    > > Thanks for your help, any further advice greatly appreciated.
    > >
    > > Thanks
    > >
    > > AJ
    > >

    >
    > Should not need to open TCP/20 if using the fixup. The fixup will open
    > it if needed, plus that connection will be from the inside out if using
    > active FTP.
    >
    > Really need to look at the logs. Also, is this FTP
    > server the same as the one that works on TCP/21, meaning same version of
    > OS, FTP service, etc.
    >
    > Rik Bain
     
    Ron Bandes, Jan 7, 2004
    #10
  11. #

    Rik Bain Guest

    On Wed, 07 Jan 2004 16:12:40 -0600, Fatman Superstar wrote:

    >> Do you have an access-list applied to the interface the server hangs
    >> off of (not outside, but internal interface)?

    >
    > Yes, permit TCP 20, 21, 1020, 1021 from selected outside to inside host.
    >


    sorry, i meant the inside (internal) interface

    >
    >> Is the translation from the server to the outside a 1-to-1 or static
    >> PAT?
    >> Should work with either, but fnd out anyway.
    >>
    >>

    > static(inside,outside) command.
    >
    >>


    static host to host, like:

    static (inside,outside) 1.1.1.1 2.2.2.2
    -or-
    static (inside,outside) tcp 1.1.1.1 21 2.2.2.2 21


    >>Logging

    >
    > Denied a few ACK and SYN's.
    >
    > Thanks again for any information.
    >


    the log actually says that? :) Or does it contain other useful
    information like ip addresses, ports and deny reasons? This is what will
    shed more light; for instance we can tell whether there is a protocol
    violation, hence fixup will tear down connection(s), or whether fixup
    even sees it at all.


    Also, this is plain old vanilla FTP right? Not trying to do SSL?
     
    Rik Bain, Jan 8, 2004
    #11
  12. Hi,

    So...

    acl permit dest source eq 20
    acl permit dest source eq 21
    acl permit dest source eq 1020
    acl permit dest source eq 1021

    fixup prot 21
    fixup prot 1021

    Thanks

    AJ

    "Ron Bandes" <RunderscoreBandes @yah00.com> wrote in message
    news:yN0Lb.67516$...
    > Right; you must let fixup take care of the data connection because the
    > standard does NOT say that the data connection's server-port must be one
    > less than the control connection's port. It is only recommended to be so.
    > I have seen an implementation of FTP that doesn't follow this
    > recommendation, and it works fine.
    >
    > Ron Bandes
    > CTT, CCNP, etc.
    >
    > "Rik Bain" <> wrote in message
    > news:p...
    > > On Wed, 07 Jan 2004 14:01:03 -0600, Fatman Superstar wrote:
    > >
    > > > Didnt have port 20 open before but worked fine on port 21.
    > > >
    > > > Have opened port 20 and tried various combos of fixup on 20, 21, 1020
    > > > and 1021 and still the same.
    > > >
    > > > Thanks for your help, any further advice greatly appreciated.
    > > >
    > > > Thanks
    > > >
    > > > AJ
    > > >

    > >
    > > Should not need to open TCP/20 if using the fixup. The fixup will open
    > > it if needed, plus that connection will be from the inside out if using
    > > active FTP.
    > >
    > > Really need to look at the logs. Also, is this FTP
    > > server the same as the one that works on TCP/21, meaning same version of
    > > OS, FTP service, etc.
    > >
    > > Rik Bain

    >
    >
     
    Fatman Superstar, Jan 8, 2004
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. netboy
    Replies:
    0
    Views:
    2,281
    netboy
    Jul 10, 2003
  2. Corbin O'Reilly
    Replies:
    2
    Views:
    3,196
    Corbin O'Reilly
    May 26, 2004
  3. Josep M Homs
    Replies:
    3
    Views:
    1,726
  4. Replies:
    1
    Views:
    484
    Lutz Donnerhacke
    Sep 13, 2007
  5. inventor1984
    Replies:
    4
    Views:
    1,637
    Dave \Crash\ Dummy
    Dec 21, 2009
Loading...

Share This Page