Microsoft FTP behind Cisco PIX

Discussion in 'Cisco' started by #, Jan 7, 2004.

  1. #

    # Guest

    Hi,

    Our cisco PIX firewall connection allows persons to log into the FTP servers
    inside our network (connections from outside) on ports 21 and 1021 (two
    servers)

    However, when attempting to do a DIR , port 1021 simply hangs yet port 21
    works.

    Have done a fixup on both port numbers, traffic is obviously ok cos I can
    get the login box etc on both servers.

    What obvious thing have I missed this time?

    Ta

    Fat
     
    #, Jan 7, 2004
    #1
    1. Advertisements

  2. :Our cisco PIX firewall connection allows persons to log into the FTP servers
    :inside our network (connections from outside) on ports 21 and 1021 (two
    :servers)

    :However, when attempting to do a DIR , port 1021 simply hangs yet port 21
    :works.

    :Have done a fixup on both port numbers, traffic is obviously ok cos I can
    :get the login box etc on both servers.

    :What obvious thing have I missed this time?

    You have missed that port 21 is only for control connections.
    Doing a 'dir' involves a data connection, which requires port 20.
    If you re-examine your ACL for the port 21 ('ftp') connection,
    you will find you have also opened port 20 ('ftp-data')

    The ftp standard says that the data connection is always one lower
    than the control connection, so what you need to do is open
    the port before 1021 (i.e., 1020) to the second server.
     
    Walter Roberson, Jan 7, 2004
    #2
    1. Advertisements

  3. Didnt have port 20 open before but worked fine on port 21.

    Have opened port 20 and tried various combos of fixup on 20, 21, 1020 and
    1021 and still the same.

    Thanks for your help, any further advice greatly appreciated.

    Thanks

    AJ
     
    Fatman Superstar, Jan 7, 2004
    #3
  4. #

    Rik Bain Guest

    Should not need to open TCP/20 if using the fixup. The fixup will open
    it if needed, plus that connection will be from the inside out if using
    active FTP.

    Really need to look at the logs. Also, is this FTP
    server the same as the one that works on TCP/21, meaning same version of
    OS, FTP service, etc.

    Rik Bain
     
    Rik Bain, Jan 7, 2004
    #4
  5. :Should not need to open TCP/20 if using the fixup

    That leads to an interesting point: has the original poster done
    a fixup protocol ftp 1021 ?
     
    Walter Roberson, Jan 7, 2004
    #5
  6. Its a MS IIS ftp server. I change the port to be either 21 or 1021 and it
    only runs on 21.

    Cheers

    AJ
     
    Fatman Superstar, Jan 7, 2004
    #6
  7. Yes it has (sorry, I am mr #)
     
    Fatman Superstar, Jan 7, 2004
    #7
  8. #

    Rik Bain Guest


    OK, so you did test it internally to make sure it does in fact work on
    port 1021, right?

    Do you have an access-list applied to the interface the server hangs off
    of (not outside, but internal interface)?

    Is the translation from the server to the outside a 1-to-1 or static PAT?
    Should work with either, but fnd out anyway.

    Also, what version of pix code?


    Might want to enable logging and have a look there, pix is pretty good
    about letting you know if it is blocking traffic, or denying it for some
    other reason.



    Rik Bain
     
    Rik Bain, Jan 7, 2004
    #8
  9. OK, so you did test it internally to make sure it does in fact work on
    Correct, the DIR works internally on both ports, the problem occurs past the
    PIX.
    Yes, permit TCP 20, 21, 1020, 1021 from selected outside to inside host.
    static(inside,outside) command.
    Denied a few ACK and SYN's.

    Thanks again for any information.

    Ta

    AJ
     
    Fatman Superstar, Jan 7, 2004
    #9
  10. #

    Ron Bandes Guest

    Right; you must let fixup take care of the data connection because the
    standard does NOT say that the data connection's server-port must be one
    less than the control connection's port. It is only recommended to be so.
    I have seen an implementation of FTP that doesn't follow this
    recommendation, and it works fine.

    Ron Bandes
    CTT, CCNP, etc.
     
    Ron Bandes, Jan 7, 2004
    #10
  11. #

    Rik Bain Guest

    sorry, i meant the inside (internal) interface
    static host to host, like:

    static (inside,outside) 1.1.1.1 2.2.2.2
    -or-
    static (inside,outside) tcp 1.1.1.1 21 2.2.2.2 21

    the log actually says that? :) Or does it contain other useful
    information like ip addresses, ports and deny reasons? This is what will
    shed more light; for instance we can tell whether there is a protocol
    violation, hence fixup will tear down connection(s), or whether fixup
    even sees it at all.


    Also, this is plain old vanilla FTP right? Not trying to do SSL?
     
    Rik Bain, Jan 8, 2004
    #11
  12. Hi,

    So...

    acl permit dest source eq 20
    acl permit dest source eq 21
    acl permit dest source eq 1020
    acl permit dest source eq 1021

    fixup prot 21
    fixup prot 1021

    Thanks

    AJ
     
    Fatman Superstar, Jan 8, 2004
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.