I'm having some difficulty in getting the PIX to allow PASV connections
through. I have a vsftpd server on a DMZ with a private IP and running
IPTables with modules ip_nat_ftp and ip_conntrack_ftp loaded, though
same errors occur with IPTables stopped. The vsftpd server has a
pasv_address of the public IP, and pasv_enable is YES.
The error from IE browser is "An error occurred opening that folder on
the FTP Server. Make sure you have permission to access that folder."
Ethereal on the client follows the TCP stream like this:
220 Welcome message nnnn
USER xxxxx
331 Please specify the password.
PASS xxxxx
230 Login successful. Have fun.
SYST
215 UNIX Type: L8
FEAT
500 Unknown command.
TYPE I
200 Switching to Binary mode.
REST 0
350 Restart position accepted (0).
PWD
257 "/home/xxxx"
PASV
<then a bunch of TCP Retransmission requests for PASV>
The server log shows it responds to the PASV command with:
<Time/date> <pid> <username> FTP command: Client "nnn.nnn.nnn.nnn",
"PASV"
<Time/date> <pid> <username> FTP response: Client "nnnnnn", "227
Entering Passive Mode (nnn,nnn,nnn,nnn,190,130)"
But the client never gets that message.
The pix logs this:
"%PIX-4-406002: FTP port command different address: from
<outsideIP:port> to <insideIP:port>".
"%PIX-6-302014: Teardown TCP connection nnn for outside:<outsideIP:port>
to dmz:<insideIP:port> duration 00:00:01 bytes 350 Deny".
"PIX-6-106015: Deny TCP (no connection) from <outsideIP:port> to
<insideIP:port>".
Non-PASV works fine.
I'm worn out Googling this. Has anyone experienced this before?
Thanks,
Bill Stout
www.greenborder.com
