As soon as I add a static mapping (for whatever reason), the PIX stops passing all outbound traffic except that traffic from the IP address in the static mapping. I think this is because it can't do PAT and a STATIC mapping to the same IP address. I would need >1 IP address to pull it off successfully.
I will try the strict option. I had it earlier, and it didn't help the situation any so I removed it. I have also opened a TAC case on it, and it looks like there is going to be a problem with doing this and using PAT (if I use NAT, it works great...). I was hoping to avoid having to move to business class/static IP's (about twice as much as my existing net access...) Thanks. Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS Senior QA Rep. BMC Software, Inc. (713) 918-2412 [EMAIL PROTECTED] http://www.bmc.com -----Original Message----- From: Glenn Shiffer [mailto:[EMAIL PROTECTED]] Sent: Friday, February 01, 2002 17:34 To: 'Noonan, Wesley'; [EMAIL PROTECTED] Subject: RE: PIX 501, PAT and PASV... As far as I recall Cisco port aliases assign ftp= tcp 21 and ftp-data= tcp 20. Ftp-data being used to enable FTP/HTTP server connections to function properly. Try adding a static mapping port 21 ie. ftp. You may also want to change your ftp fixup to: fixup protocol ftp strict 21 This prevents web browsers for sending embedded commands in ftp requests. Glenn _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
