As far as I recall Cisco port aliases assign ftp= tcp 21 and ftp-data= tcp 20. Ftp-data being used to enable FTP/HTTP server connections to function properly.
Try adding a static mapping port 21 ie. ftp. You may also want to change your ftp fixup to: fixup protocol ftp strict 21 This prevents web browsers for sending embedded commands in ftp requests. Glenn -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Noonan, Wesley Sent: Friday, February 01, 2002 3:32 PM To: [EMAIL PROTECTED] Subject: PIX 501, PAT and PASV... I have a PIX 501 that I am trying to get configured to use PAT on a single outside IP address that is DHCP assigned, but allows for inbound connections (i.e. www, ftp, dns, etc.). It is running PIX OS 6.1(1). I have it configured as follows: PIX Version 6.1(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 fixup protocol ftp 21 access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable access-list 100 permit tcp any host 1.2.3.4 eq ftp access-list 100 permit tcp any host 1.2.3.4 eq ftp-data access-list 100 permit tcp any host 1.2.3.4 eq 8080 access-list 100 permit udp any host 1.2.3.4 eq domain ip address outside dhcp setroute ip address inside 10.1.1.2 255.255.255.0 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp 1.2.3.4 ftp 10.1.1.1 ftp netmask 255.255.255.255 0 0 static (inside,outside) tcp 1.2.3.4 ftp-data 10.1.1.1 ftp-data netmask 255.255.255.255 0 0 static (inside,outside) tcp 1.2.3.4 8080 10.1.1.1 www netmask 255.255.255.255 0 0 static (inside,outside) udp 1.2.3.4 domain 10.1.1.1 domain netmask 255.255.255.255 0 0 access-group 100 in interface outside Here is my problem. FTP only works if the FTP client is running on PASV mode. If I disable fixup protocol ftp 21, inbound FTP clients can work without PASV, but then outbound clients don't. If I enable fixup protocol ftp 21, then outbound works fine, but inbound doesn't. As a side note question, does anyone know if an ACL/conduit for ftp-data is required? I have always been taught that it was for FTP communication to function properly, but was wondering what some of the folks on the list thought. Anyone have any ideas? TIA Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS Senior QA Rep. BMC Software, Inc. (713) 918-2412 [EMAIL PROTECTED] _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
