outbound FTP connections

Discussion in 'Cisco' started by Guest, May 6, 2004.

  1. Guest

    Guest Guest

    I've got a 2600 running the firewall IOS and everything was working fine, at
    least I though it was. Recently one of our people tried to access an ftp
    site for a product patch and couldn't. I tried a number of PCs using
    Crystal's ftp client, IE, and the command line ftp client all with the same
    results. From from home or any other site it connects fine. Now the really
    strange thing it that most FTP servers work fine. The problem is only with
    this server and, so far, one other ftp.microsoft.com.

    The problem is simple, from a MS (no cracks about MS) command line I put in
    the ftp.microsoft.com and get back "connected". That's it, it just sits
    there, no prompt, nothing. Other sites are fine. I just can't think of
    anything other then the router/firewall that might be causing this. Below is
    my outbound ACL, any ideas. For this 192.168.xxx.0 in the LAN, the IOS is
    12.2(12), and I do have and ip inspect for ftp

    access-list 100 deny tcp host 192.168.xxx.xxx any eq smtp
    access-list 100 deny tcp any any eq 69
    access-list 100 deny tcp any any eq 135
    access-list 100 deny tcp any any eq 4444
    access-list 100 deny udp any any eq tftp
    access-list 100 deny udp any any eq 135
    access-list 100 deny udp any any eq 4444
    access-list 100 deny ip 66.237.180.192 0.0.0.63 any
    access-list 100 deny ip 192.168.yyy.0 0.0.0.255 any
    access-list 100 deny ip 192.168.xxx.0 0.0.0.255 any
    access-list 100 permit tcp any any eq smtp log
    access-list 100 permit ip 192.168.xxx.0 0.0.0.255 any
     
    Guest, May 6, 2004
    #1
    1. Advertisements

  2. :I've got a 2600 running the firewall IOS and everything was working fine, at
    :least I though it was. Recently one of our people tried to access an ftp
    :site for a product patch and couldn't.

    Passive or active ftp?

    :The problem is simple, from a MS (no cracks about MS) command line I put in
    :the ftp.microsoft.com and get back "connected". That's it, it just sits
    :there, no prompt, nothing.

    Do you have a valid reverse DNS for the outside IP that you are NAT'ing
    to?

    What do you see if you telnet to their ftp port?

    telnet ftp.microsoft.com ftp
     
    Walter Roberson, May 6, 2004
    #2
    1. Advertisements

  3. Guest

    Rik Bain Guest

    You mentioned that you have the firewall feature set. Are you using
    CBAC? If so do you have ftp inspection on?

    Rik Bain
     
    Rik Bain, May 6, 2004
    #3
  4. Guest

    Guest Guest

    First a correction. When I ftp to one site it just says connected and sits
    there, no prompt nothing. When I try ftp.microsoft.com it says connected and
    then connection closed by host. Other sites are fine , as are these when I'm
    at a different location.

     
    Guest, May 7, 2004
    #4
  5. Guest

    Guest Guest

     
    Guest, May 7, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.