passive FTP
I have seen an issue discussed here before regarding passive ftp getting mucked up by routing equipment? I am experiancing this problem at the moment, when using std. windows FTP clients (default Passive ftp) i get very bad performance issues connecting to a Unix FTP server ( no config changes here in last while) It started from one day to the next (without me making any Router-cisco access list changes etc) Sympthoms are very slow port connection time after authentication, and very slow reaction to commands there after (1-2 mins), data transfer however is completly normal, seems to be always a prob. connecting through these higher ports, anyone remeber what the out come was? weird _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: passive FTP
I'm probably way off the mark, but I've seen dns issues slow down ftp connections (when the ftp daemon is waiting for the results of a reverse dns and the named service is having problems/down). Of course, once the connection goes through it wasn't an issue. -- Jason Roysdon, CCNA, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ ""tayta"" <[EMAIL PROTECTED]> wrote in message 8vj9oe$sjd$[EMAIL PROTECTED]">news:8vj9oe$sjd$[EMAIL PROTECTED]... > I have seen an issue discussed here before regarding passive ftp getting > mucked up by routing equipment? > I am experiancing this problem at the moment, when using std. windows FTP > clients (default Passive ftp) i get very bad performance issues connecting > to a Unix FTP server ( no config changes here in last while) > It started from one day to the next (without me making any Router-cisco > access list changes etc) > Sympthoms are very slow port connection time after authentication, and very > slow reaction to commands there after (1-2 mins), > data transfer however is completly normal, seems to be always a prob. > connecting through these higher ports, > > anyone remeber what the out come was? > > weird > > > _ > FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Passive FTP [7:48357]
The users are on the inside interface behind the PIX firewall and are trying to make an pftp connection to the outside world. They are being authenticated from the outside server but then the section hangs trying to do a list command. The fixup protocol port 21 is enable on PIX and there is no explicit outbound restriction from the inside interface. The outside server is using port range 4-40020 for passive FTP. I tried enabling this range on the fixup protocol too but it didn't work. Please advice Thanks much SM Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48357&t=48357 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: passive FTP [7:20623]
Hello, I'm wondering where can I get a passive FTP client? Thanks in advance. Jim __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20623&t=20623 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: passive FTP [7:20623]
Eugene -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jim Bond Sent: Thursday, September 20, 2001 7:30 PM To: [EMAIL PROTECTED] Subject: OT: passive FTP [7:20623] Hello, I'm wondering where can I get a passive FTP client? Thanks in advance. Jim __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ [GroupStudy.com removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20635&t=20623 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: passive FTP [7:20623]
Most web browsers use passive ftp, just use ftp:// as the path instead of http. You can also check http://www.tucows.com for windows based ftp clients such as ws-ftp. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim Bond Sent: Thursday, September 20, 2001 4:30 PM To: [EMAIL PROTECTED] Subject: OT: passive FTP [7:20623] Hello, I'm wondering where can I get a passive FTP client? Thanks in advance. Jim __ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20681&t=20623 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Passive FTP [7:48357]
did you also allow port 22 (ftp data) on your PIX??? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Simer Mayo Sent: Monday, July 08, 2002 4:18 PM To: [EMAIL PROTECTED] Subject: Passive FTP [7:48357] The users are on the inside interface behind the PIX firewall and are trying to make an pftp connection to the outside world. They are being authenticated from the outside server but then the section hangs trying to do a list command. The fixup protocol port 21 is enable on PIX and there is no explicit outbound restriction from the inside interface. The outside server is using port range 4-40020 for passive FTP. I tried enabling this range on the fixup protocol too but it didn't work. Please advice Thanks much SM Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48359&t=48357 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Passive FTP [7:48357]
Looks like your returning traffic was blocked. Try active FTP. Yoshi -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Simer Mayo Sent: Monday, July 08, 2002 4:18 PM To: [EMAIL PROTECTED] Subject: Passive FTP [7:48357] The users are on the inside interface behind the PIX firewall and are trying to make an pftp connection to the outside world. They are being authenticated from the outside server but then the section hangs trying to do a list command. The fixup protocol port 21 is enable on PIX and there is no explicit outbound restriction from the inside interface. The outside server is using port range 4-40020 for passive FTP. I tried enabling this range on the fixup protocol too but it didn't work. Please advice Thanks much SM Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48361&t=48357 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Passive FTP [7:48357]
*cough*port 20 is ftp-data*cough* I'm sure it was a quick typing mistake etc. I just wanted to make sure. :-) Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Charles D Hammonds Sent: Monday, July 08, 2002 6:06 PM To: [EMAIL PROTECTED] Subject: RE: Passive FTP [7:48357] did you also allow port 22 (ftp data) on your PIX??? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Simer Mayo Sent: Monday, July 08, 2002 4:18 PM To: [EMAIL PROTECTED] Subject: Passive FTP [7:48357] The users are on the inside interface behind the PIX firewall and are trying to make an pftp connection to the outside world. They are being authenticated from the outside server but then the section hangs trying to do a list command. The fixup protocol port 21 is enable on PIX and there is no explicit outbound restriction from the inside interface. The outside server is using port range 4-40020 for passive FTP. I tried enabling this range on the fixup protocol too but it didn't work. Please advice Thanks much SM Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48362&t=48357 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Passive FTP [7:48357]
A great troubleshooting tool in this situation would be a packet grabber such as EtherPeek. Capture traffic at the client location and at the outside of the PIX. Compare what is happening to what is expected. Without that information we can just guess. Let's try to break the problem into smaller pieces. Can your inside users connect to any outside ftp site? For example (assuming that you have a Cisco Service Contract) can you download an IOS image? If so, the PIX is doing its job. Look to the client or server. Can your users ftp from another server? Does the problem occur with certain client software or certain users? For an understanding of FTP check the GroupStudy archives for posts by PriscillaO. Within the last several months she has posted very clear explanations several times. Other sources are http://war.jgaa.com/ftp The FTP Protocol Resource Center. Good links. http://cr.yp.to/ftp.html Your symptoms sound more like a client using active mode FTP. When the client goes to LIST the server tries to open a connection on port 20 which the firewall refuses. You might also want to look on CCO for two articles. "Poor or Intermittent FTP/HTTP Performance Through a PIX" and "PIX Performance Issues Caused by IDENT Protocol". I don't have a URL for them. > -Original Message- > From: Simer Mayo [mailto:[EMAIL PROTECTED]] > Sent: Monday, July 08, 2002 6:18 PM > To: [EMAIL PROTECTED] > Subject: Passive FTP [7:48357] > > > The users are on the inside interface behind the PIX firewall > and are trying > to make an pftp connection to the outside world. They are > being authenticated > from the outside server but then the section hangs trying to do a list > command. The fixup protocol port 21 is enable on PIX and > there is no explicit > outbound restriction from the inside interface. The outside > server is using > port range 4-40020 for passive FTP. I tried enabling this > range on the > fixup protocol too but it didn't work. > > Please advice > > Thanks much > > SM Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48364&t=48357 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Passive FTP [7:48357]
Charles D Hammonds wrote: > > did you also allow port 22 (ftp data) on your PIX??? FTP data uses port 20. That was probably a typo. However, with passive FTP, that port number doesn't get used. Passive FTP tells the server to wait for a connection request from the client. The server replies with the port number the client should send the request to. Then the client opens a connection from a not-well-known ephemeral (short-lived) port number to the port number provided by the server. Needless to say, this wreaks havoc with firewalls. There are no well-known port numbers in the passive data conversation. Sorry, I don't know exactly how to get this to work with PIX. I'm sure there is a way though? You could also try active FTP instead?? But then the server opens the data connection, which can cause problems also. I have written up FTP many times in the past for Gropu Study. You may want to check the archives. It will be in my new book too! If I have time, I would like to write a white paper on it too to add to my troubleshooting site here. Stay tuned: http://www.troubleshootingnetworks.com/ Priscilla > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On > Behalf Of > Simer Mayo > Sent: Monday, July 08, 2002 4:18 PM > To: [EMAIL PROTECTED] > Subject: Passive FTP [7:48357] > > > The users are on the inside interface behind the PIX firewall > and are trying > to make an pftp connection to the outside world. They are being > authenticated > from the outside server but then the section hangs trying to do > a list > command. The fixup protocol port 21 is enable on PIX and there > is no > explicit > outbound restriction from the inside interface. The outside > server is using > port range 4-40020 for passive FTP. I tried enabling this > range on the > fixup protocol too but it didn't work. > > Please advice > > Thanks much > > SM > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48365&t=48357 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Passive FTP [7:48357]
Simer Mayo wrote: > > The users are on the inside interface behind the PIX firewall > and are trying > to make an pftp connection to the outside world. They are being > authenticated > from the outside server but then the section hangs trying to do > a list > command. The fixup protocol port 21 is enable on PIX and there > is no explicit > outbound restriction from the inside interface. The outside > server is using > port range 4-40020 for passive FTP. I tried enabling this > range on the > fixup protocol too but it didn't work. > > Please advice > > Thanks much > > SM > > FTP is notorious for causing problems on networks with firewalls. I have actually run into cases where it simply would not work due to unconfigurable applications and a combination of network and personal firewalls. FTP is also problematic on networks with NAT because the IP address appears in the PORT command (when active is used) and in the server's reply to the client's PASV command (when passive is used). So, I wrote a white paper on FTP (finally, I've been meaning to do this for a while.) It is available from this page: http://www.troubleshootingnetworks.com/resources.html Hope it helps! Priscilla P.S. By the way, as the paper mentions, if your use for FTP is limited to updating Web pages, there is an alternative: a new protocol called Web-based Distributed Authoring and Versioning (WebDAV). WebDAV is a set of extensions to the Hypertext Transfer Protocol (HTTP) to allow users to collaboratively edit and manage files on remote Web servers. See RFC 2518 for more information. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48444&t=48357 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Passive FTP [7:48357]
Good explanation! Here's another reference that might be useful: pad pad http://www.cert.org/tech_tips/ftp_port_attacks.html > So, I wrote a white paper on FTP (finally, I've been meaning > to do this for > a while.) It is available from this page: > > http://www.troubleshootingnetworks.com/resources.html > > Hope it helps! > > Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48499&t=48357 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Passive FTP [7:48357]
Boy those hackers are clever! ;-) I never would have thought of that, but of course it's really pretty obvious. Because of the way the PORT command works, you can cause your FTP server to port scan a target! And that's not all you can do. Thanks for the link and all your other advice. Regarding the original question, I strongly suspect that the answer may be at one of these two links at Cisco: PIX Performance Issues Caused by IDENT Protocol. http://www.cisco.com/warp/public/110/2.html Poor or Intermittent FTP/HTTP Performance Through a PIX. http://www.cisco.com/warp/public/110/21.html Priscilla Daniel Cotts wrote: > > Good explanation! Here's another reference that might be useful: > pad > pad > http://www.cert.org/tech_tips/ftp_port_attacks.html > > > > So, I wrote a white paper on FTP (finally, I've been meaning > > to do this for > > a while.) It is available from this page: > > > > http://www.troubleshootingnetworks.com/resources.html > > > > Hope it helps! > > > > Priscilla > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=48512&t=48357 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX: Active FTP vs Passive FTP [7:43625]
The 'fixup protocol ftp strict 21' is generally suggested for passive ftp. This is to make sure servers are the only ones that can send the PASV command. This closed a security hole in the past. Michael Le, CCIE #6811 --- Jeffrey Reed wrote: > Are there any special considerations when allowing > FTP through a PIX if > clients can do either passive or active FTP > sessions? > > Jeffrey Reed > Classic Networking, Inc. > Cell 717-805-5536 > Office 717-737-8586 > FAX 717-737-0290 [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Shopping - Mother's Day is May 12th! http://shopping.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43806&t=43625 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]