I have a Windows 2003 web server sitting behind a Cisco Pix 515 firewall. HTTP access is fine, but I can't make FTP access to work.
The configuration I'm trying:
fixup protocol ftp 20
static (inside,outside) <external-IP> <internal-IP> netmask 255.255.255.255 0 0
conduit permit tcp host <external-IP> eq www any
conduit permit tcp host <external-IP> eq ftp-data any
conduit permit tcp host <external-IP> eq ftp any
I also tried "fixup protocol ftp 21" and "no fixup protocol 20"; as they didn't work, I removed them.
It connects successfully, I type my username and password just fine. When I try any command I get:
C:\>ftp <server-name>
Connected to <server-name>.
220 Microsoft FTP Service
User (<server-name>:(none)): <username>
331 Password required for <username>.
Password:
230 User <username> logged in.
ftp> dir
500 Invalid PORT Command.
150 Opening ASCII mode data connection for /bin/ls.
And it sits there forever. I can see on eventvwr that the server drops the connection after the time-out I configured is reached.
If I try from Internet Explorer I get a message box:
200 Type set to A
500 Invalid PORT command
500 'LPRT 6,16,0,0,0,0,0,0,0,0,9,4,0,0,0,0,34,113,2,6,71': command not understood
FTP to this server from inside my LAN works fine.
Can anyone help me? Thanks a lot!
Best Answer
Remove:
and just add:
without a port number. A port number is not needed. In addition to this, you may need to issue a clear xlate for it to take effect right away...however, this will disconnect any/all active connections (and can cause other issues).
Edited to add:
As Zephyr asked in comments above, it is important to know what version of PIX software you're running as Cisco replaced fixup with inspect.