Thanks for the suggestions everyone came up with. You're not going to believe what fixed it!
I did already have "fixup protocol ftp 21" on the PIX, although I don't run any ftp servers. It seems that this is a default on a new box. I tried disabling this, and now I can ftp to the hosting provider. However this prevents the use of outgoing active FTP connections from inside the PIX, and so breaks one of my critical applications that uses an FTP component that doesn't appear to allow PASV to be used! According to the PIX documentation the fixup protocol ftp statement is only supposed to affect incoming connections to the specified port so that the IP address passed back in response to active connections is replaced with the NAT'd address on the PIX. Of the other suggestions, I think some of the followups answered them but I'll summarise. Passive FTP is required from inside my PIX due to PAT - with active there is no way for the remote FTP server to open a connection back to my machine through the PIX even though WS_FTP is listening, as PAT doesn't allow any incoming connections due to having to map ports as well as IPs in a many to one for IP (outgoing) and many to many for ports. "The most likely reason the passive ftp through the Pix is failing is a bug in the Pix code: CSCdp09306, fixed in 5.0(2.212) and 5.1(1.208)." As I stated in my original message I'm running 5.3(1) already, and successfully use passive ftp with other servers. But after all this there is still something "interesting" about the config at the hosting provider. I've never had a problem like this before, and as I said I use FTP daily (actually about 20 times a day!) with our sister company that also uses Serv-U which is behind a PIX and PASV works fine. But I also need to use active connections and using "no fixup protocol ftp 21" disables the use of active ftp. I'm going to try to "persuade" the hosting provider to send me a copy of their Serv-U config so I can see what's different between their setup and the one at our sister company. Dan --- D.C. Crichton email: [EMAIL PROTECTED] Senior Systems Analyst tel: +44 (0)121 706 6000 Computer Manuals Ltd. fax: +44 (0)121 606 0477 Computer book info on the web: http://computer-manuals.co.uk/ Want to earn money? Join our affiliate network! http://computer-manuals.co.uk/affiliate/ _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
