[fw-wiz] FTP Passive Traffic from PIX thru SEF to Serv-U

TSimons_at_Delphi-Tech.com
Date: 03/16/04

  • Next message: Adam Lang: "[fw-wiz] Re: firewall-wizards digest, Vol 1 #1238 - 1 msg" 
    To: firewall-wizards@honor.icsalabs.com
Date: Mon, 15 Mar 2004 22:18:26 -0500

    Hello All

    We recently had an issue with an ftp user behind a remote PIX firewall
    trying to connect to our FTP server. Apparently the SEF was pulling back
    the NAT wrapper off the traffic from the PIX and pulling out the private
    address on the remote side.

    Client-->[PIX/NAT]-->Internet-->[SEF/FTPd]-->Serv-U

    Is this a PIX problem?

    Here's the specific SEF log entry:
    Mar 05 15:13:13.443 FW1 ftpd[1684]: 353 Warning: PORT command referenced a
    destination (10.6.11.3) that doesn't match control channel (X.X.X.36):
    possible Bounce attack? To enforce strict PORT checking please set
    "ftpd.allow_address_mismatch=False" in the config.cf file

    X.X.X.36 is the outbound NAT'd IP address, not PAT
    10.6.11.3 is the IP address inside the PIX

    This problem is isolated to this specific PIX, others are using the ftp
    server perfectly fine.

    Thanks,
    ~Todd

    __________________________________
    Todd M. Simons
    Senior MIS Engineer
    Dell Tier 1 PA Technician
    Delphi Technology, Inc.
    New Brunswick, NJ

    Note: The contents of this email do not constitute a legally binding
    commitment.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Adam Lang: "[fw-wiz] Re: firewall-wizards digest, Vol 1 #1238 - 1 msg"

    Relevant Pages

    • Re: Open Ftp on AS/400
      ... Static NAT is only slightly better than no protection at all - ... PIX does both. ... FTP sends clear-text user-id and passwords - make sure at least ... connecting to the Internet with little or security considerations ...
      (comp.sys.ibm.as400.misc)
    • Re: Unable to ftp to server in DMZ PIX 515e
      ... from the internal network the connection times out. ... You need to upgrade your software. ... you might want to jump directly to PIX 7.1. ... Anyhow, as best I recall, there were ftp problems in PIX 6.3. ...
      (comp.security.firewalls)
    • Re: ftp from behind fw1 4.1 to ftp server behind pix firewall
      ... It sounds like one of the firewalls (probably the PIX) is not handling FTP ... > from behind our fw1 server we can connect and login to the ftp server ... > behind the pix firewall but as soon as we try to do anything with this ...
      (comp.security.firewalls)
    • Re: ASA & FTP Problem
      ... You might want to switch back to the PIX: ... FTP traffic should to blocked when url-server is down with filter on ... FTP transfer from MS server over VPN doesnt survive failover ... inspect FTP commands are not applied during reload in Multiple ...
      (comp.dcom.sys.cisco)
    • ftp from behind fw1 4.1 to ftp server behind pix firewall
      ... from behind our fw1 server we can connect and login to the ftp server ... behind the pix firewall but as soon as we try to do anything with this ... ftp session sits there with '150 opening ascii mode data connection'. ...
      (comp.security.firewalls)