CBAC - FTP and PAT

We have an unclass setup where we are PAT'ing to the internet via a 2911 router.  We've found that passive FTP from internal (client) to public ftp server is not working and I've confirmed there is no ACL denying.  The initial connection (login) is fine but when trying to actually send data we see timeouts.  I'm thinking this is because I'm not doing this on a firewall with inspect ftp enabled.
So I enabled the security feature so I could configure CBAC but that doesn't seem to correct my problem with FTP (active and/or passive).  G0/0 is my interface to the outside world and I'm applying the CBAC there.  Let me know what you think....I'm sure someone has ran into this before and I'm stumped here.
Below are snippits of my config...
OUTPUT and CONFIG snippets
ip inspect name firewall ftp
ip inspect name firewall tcp
access-list 199 deny   ip any any
interface GigabitEthernet0/0
    ip address x.x.x.x x.x.x.x
    ip access-group 199 in
    no ip redirects
    ip nat outside
    ip inspect firewall out
    ip virtual-reassembly in
"show inspect all" shows the following and indicates to me that it is applied correctly.  I even see the router tracking (inspecting sessions) via the "show inspect sessions" command. 
#sho ip inspect all
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name firewall
    ftp alert is on audit-trail is off timeout 3600
    tcp alert is on audit-trail is off timeout 3600
Interface Configuration
Interface GigabitEthernet0/0
  Inbound inspection rule is not set
  Outgoing inspection rule is firewall
    ftp alert is on audit-trail is off timeout 3600
    tcp alert is on audit-trail is off timeout 3600
    dns alert is on audit-trail is off timeout 30
Inbound access list is 199
  Outgoing access list is not set
ERROR WHEN TRYING FTP
ftp> open
To ftp.hp.com
Connected to ftp.hpgtm.nsatc.net.
220 g6u0651.atlanta.hp.com FTP server (hp.com version whp02s_p1) ready.
User (ftp.hpgtm.nsatc.net:(none)): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
ftp> quote PASV
227 Entering Passive Mode (15,193,112,141,160,114)
ftp> dir
200 PORT command successful.
425 Can't build data connection: Connection timed out.
A few other questions.
1.  I see that Cisco says they don't support third party FTP.  What exactly does that mean?
2.  They also say that the data connection will not open if the session is not authenticated.  Does anonymous count as being authenticated?
Thanks in advance for any ideas!!
Paul.

Thanks for the reply but I have since learned that I should not neet CBAC for passive FTP connections.  I have also learned that through windows ftp.exe you cannot do passive FTP, even though the quote PASV seems to put it in that mode.  Evidently, it only tells the server to go passive but windows doesn't support PASV....interesting!
I did end up downloading a FTP client that does support PASV mode but am still unable to get it to work through my PAT router.  I think the key here is it's a PAT router and not a firewall/ASA.  I've tested PAT through a stateful firewall and it works fine....no issue at all.  Very interesting stuff here and it is fustrating the heck out of me as to why I can't get this to work!!!  Any help appreciated.
Thanks in advance!

Similar Messages

  • Ftp and http access over XDB repository is not allowed...

    When I try to execute the following command on a reasonably fresh Oracle 11 installation:
    insert into "XMLTEST" ( "name", "xmlfof" ) values ( 'small', DBMS_XDB.GETCONTENTXMLTYPE('/public/small.xml') );
    -- The schema is correctly registered, the file "small.xml" is in the /public repository folder, the user has every conceivable role and priviledge
    -- http access works fine from a remote location, tried to execute the command on the server and from remote system...
    I get the following error message:
    ORA-31020: Der Vorgang ist nicht zulässig, Ursache: For security reasons, ftp and http access over XDB repository is not allowed on server side ORA-06512: in "XDB.DBMS_XDB", Zeile 1915
    Searching for an answer on the forum didn't produce any concreate explanation... Does anyone have any idea how to solve this problem?

    As it turns out, the XML file contained a reference to a DTD at an external web-site, which caused the problem - it was identical to that described here:
    Re: ORA-31020 when using XML with external DTD or entities
    After removing the reference, everything works perfectly...

  • I was running Foxfire 3.6.9 and wanted to use FTP Program add-on and it did not appear to load but appeared but then would be installed but not run or appear under tools. So I deleted Foxfire 3.6.9 and down loaded to 3.5.9 so it could get FTP and it is do

    I was running Foxfire 3.6.9 and wanted to use FTP Program add-on and it did not appear to load but appeared but then would be installed but not run or appear under tools. So I deleted Foxfire 3.6.9 and down loaded to 3.5.9 so it could get FTP and it is doing the same could not install. Even after I registered my copy. The last time I used this program it showed up under tools and worked great. any suggestions on whats going on and how I can get around this?.by ralphd3g

    Delete the files extensions.* (extensions.rdf, extensions.cache, extensions.ini) and compatibility.ini in the Firefox [[Profiles|profile folder]] to reset the extensions registry.
    See "Corrupt extension files": http://kb.mozillazine.org/Unable_to_install_themes_or_extensions
    If you see disabled extensions that are not compatible on the next start in "Tools > Add-ons > Extensions" then click the "Find Updates" button to do a compatibility check.

  • Difference between Seeburger FTP and OFTP adapters

    hi,
    Can anybody tell me the difference between Seeburger FTP and OFTP adapters?
    On what basis should one make a business decision as to which adapter to go for?
    Kindly help urgently.
    Regards,
    Loveena

    Hi ! Loveena
    Seeburger EDI Adapter provides an EDI solution on internet via HTTP or AS2 to replace the expensive VAN. It provides some pre-built mappings for IDOC to ANSI X12(810,850,855,856 etc.,) and Idoc to EDIFACT(ORDERS,DESADV,INVOIC etc.,) and has the ability to build your own. These pre-defined mappings transform the IDOC-XML to EDI-XML format.
    Seeburger Adapters are used to Connect the applications which are using Message protocol/Transport protocol as CrossIndustry(payment), VAN, OFTP, AS2(EDIINT), Generic and EDI based applications.
    Re: Seeburger Adapter
    Reg seeburger seeburger
    installation
    https://forums.sdn.sap.com/click.jspa?searchID=2268965&messageID=3210111
    OFTP ist a communication protocol. This has nothing to do with the format you have to transfer.
    regards the format you have to clear at which standard you have to transfer the messages. This can be any EDI format. At OFTP area the standard are often VDA or ODETTE.
    You can create this messages using different EDI adapters (of course also the mendelson adapter ).
    Regards OFTP you need additional software which handle the transfer based on the OFTP standard. Mostly you also need an ISDN card for using this protocol.
    We can support you with this software for OFTP transport too.
    More info also available at http://www.mendelson-e-c.com/.
    have a look at the ACTIS OFTP Adapter
    Ref: http://www.actis.atosorigin.de/solutions/en/ACTIS_solutions/SAPXI.php
    refer this thread also
    When we need Seeburger AS2 & FTP?
    XI Seeburger adapters
    Adapter for OFTP?!
    Thanks !!

  • Pull compressed file (.gz format) via FTP and place on Application server

    Hello!
    Greetings.
    We have a requirement where a compressed file in the format *.gz is to be pulled via FTP and saved to the application server after extracting.
    I searched the forums and found options to pull text or XL files, but nothing about pulling a compressed file. I wished to know if there is any process for the same. After pulling the file, it is to be saved to Application server after extracting. My doubts are as below:
    1. How to pull a *.gz file via FTP (Need batch processing)
    2. Can I extract and rename th file before saving it to applciation server? Or I need a temporary location to place the file before extraction?
    Any inputs are appreciated.
    Thanks,
    Shishir.

    Hi Sandra.
    Thanks for the confirmation.
    There is a change is the requirement. We need to Poll the FTP server for the file for the duration of one week every month.
    When the file is found, we are to take the *.gz file, extract and put on the application server.
    My question is how do we poll the application FTP server? I searched  the forums and found a few threads that say that an FTP adapter is to be setup for polling the FTP server and then we can schedule it using u201CAvailability Time Planningu201D.
    /people/shabarish.vijayakumar/blog/2006/11/26/adapter-scheduling--hail-sp-19-
    I wished to know if that is the only way to approach this requirement.
    Any help is appreciated.
    Thanks and Regards,
    Shishir.
    Edited by: Shishir Kinkar on Apr 26, 2011 11:07 AM

  • Stetting up FTP and SFTP adapters for the same interface

    Experts-
    I have a situation in which client has a requirement to setup both FTP and SFTP adapters (from adapetive adapters) for the same interface. They want to have a copy of file locally and also want a file to be sent out securly using SFTP. In my interface which was previously developed they have used one business system and added FTP and SFTP to the same. If try to add new Receiver Agreement it will say that the object already exists as the Interface Mapping is same.
    Please send me any suggestions which would resolve my problem

    Hi Hari,
    As you cannot create two Receiver agreement using only one receiver interface , please create a new receiver Interface, add that in interface determination step and then assing a different channel to new receiver agreement.
    If your requirement is to store the file ,i would suggest write the file in your unix directory using NFS( /usr/sap...). then run a AFT job (if already set up in your landscape) to transfer file securly to target destination.Not sure if its feasible in your case otherwise you can use  SFTP for the secure transfer.
    Best Regards
    Srinivas

  • Static NAT (in and out) and PAT on a Router

    Static NAT and PAT
    I need to have a customer network connected to my extranet.
    I’m not in control of the customer network addressing. But need to configure a VPN connection.
    I will supply the router that will also be the customer Firewall to the Internet (PAT).
    (1) I need to be able to do PAT on traffic from internal hosts to the Internet.
    (2) I need to hide (NAT) the customer network behind a network supplied by me (match-host), when they are accessing my extranet (through VPN).
    (3) I need to be able to access hosts on the customer network, through the hiding (NAT) addresses from my extranet (through VPN).
    The following configuration will solve (1) & (2), but I can not (3) reach the internal servers from my extranet, except if the internal host has made connection to the extranet, witch will create a translate entry in the NAT table.
    Extranet is: 172.16.16.0/24
    Internal net is: 192.168.1.0/24
    interface Vlan1
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    interface FastEthernet4
    ip address 1.1.1.1
    ip nat outside
    access-list 175 deny 192.168.1.0 0.0.0.255 172.16.16.0 0.0.0.255
    access-list 175 permit 192.168.1.0 0.0.0.255 any
    access-list 176 permit 192.168.1.0 0.0.0.255 172.16.16.0 0.0.0.255
    ip nat pool FRO 10.192.10.1 10.192.10.254 netmask 255.255.255.0 type match-host
    ip nat inside source list 175 interface FastEthernet4 overload
    ip nat inside source route-map HIDE pool FRO reversible
    route-map HIDE permit 10
    match ip address 176

    Create a NAT configuration in the router which also translates even your outside Global address(your extranet) into the inside Global(any private) address through the keyword "rotary".Only this rotary pool will provide the pool of inside global IP address for yopur outside Global IP addresses.
    The following white paper will provide you with the required information,
    http://www.cisco.com/en/US/products/ps6640/products_white_paper09186a0080091cb9.shtml

  • Write/Read cluster with ftp and datasocket

    I try to save a cluster to a file on my RT-target from my host machine via ftp and datasocket. I can use the DS examples between host and target but when I connect a cluster to either DS Write or DS Read the VI stops with error 42 (Generic error). The help for DataSocket does not mention any constriction concerning the data type. Is this a bug or a feature?
    I found a workaround by saving the cluster to a local file and transferring this to the RT-target with FTP-VI's but the DataSocket solution would be much simpler.
    LabVIEW 8.6.1
    Attachments:
    clusterDS.jpg ‏24 KB
    Error42.jpg ‏12 KB

    Hi,
    I found the reason for the generic error: the file to write or read has to have a extension "dsd" (or "wav"), otherwise  you'll get the error. With a .dsd extension I was able to save the cluster. I have not yet managed to read it back but at least DS Read does not abort with the generic error. Interesting thing is if you use an other extension than dsd when writing, an empty file is actually created on the target system.
    Attachments:
    DSWriteCluster.vi ‏7 KB
    DSReadCluster.vi ‏10 KB

  • Doubt About FTP And NFS

    Hi Experts,
    1...What is the differnce between FPT and NFS( in Trasport Protocol)
    2...When we wil use FTP and NFS......In which Case
    Please Let me know in detailed
    Regards
    Khanna

    Hi Thanks for ur quick reply.
    As u told
    >>>><i>that the client's system is across ur network and the client is not ready to send u the file. At that time u have to use FTP.</i>
    This is ok.
    Q:::::And For this We should be in the VPN   OR No need?????/
    <i>In scenario where the XI system could store the file on their server (e.g. cases where the organization has their XI in place and they dont want to add an extra FTP server in their scenario, they can directly paste the file on the XI file system). In these cases NFS is used.</i>
    In this case u need to put the file in the XI Server, From where u wil get the file to keep it in the server(means via internet or by hand  or like.....)
    Please let me know all the details
    Regards
    Khanna

  • Passive FTP and the Leopard firewall

    Hi,
    We have an staff upload server that uses the built-in Leopard firewall. It is fed by two proprietary applications, one of which uses passive ftp only. We are getting a small number of incidents where the passive upload is unsuccessful. Initial contact is made (visible in the logs and as a connection in the server admin gui) but the upload doesn't proceed. A user might try uploading several times without success. On other occasions, the same user from the same computer has no problems at all.
    We have the ftp service enabled on port 20-21 and the FTP service PASV port range enabled 49152-65535.
    If I add the uploading computers' ip number to an access group with no port restrictions on the firewall, the uploads are always successful.
    With my very limited knowledge of ftp and firewalls, this suggest that the negotiated port for the data transfer is outside the default port range used by Apple. Is this likely? Are there any implications in changing the range?
    Or am I totally confused and should I be looking elsewhere?
    Thanks,
    Ross Glover

    By default, the FTP server doesn't restrict itself to any particular passive port range. To make it match what the firewall claims it should be, edit the file /Library/FTPServer/Configuration/ftpaccess and add the line:
    passive ports 0.0.0.0/0 49152 65535
    ...then restart the FTP service and retest.

  • Scripting with FTP and HTTP

    Hi All,
    To help us with future planning, we would like to get a feel for how many developers are using the FTP and HTTP objects that are available with scripting in CS3 (through webaccesslib). If you are using them could you send me a quick email describing how you use the component? My email address is [email protected]
    Thanks in advance.
    Alan Morris
    Dev Tech Engineer
    Adobe Systems

    Yeah, this is so aggrevating!
    Adobe builds all of these cool ideas, then doesnt test them.
    The HTTPConnection object does not do POST at all. I have tried nearly every possibility. The documentation is either way off or the object just does not work. I can see the post in raw form and the POST variables are not coming across.
    After working on this for a few hours i thought to myself, hey maybe i should just create a flash pane instead and load the files into it, then have the flash object upload. Well i ran into a big fat wall there too! As it is with patchpanel and bridge, these technologies only accept swf objects. This whole concept of using SWF and crossscripting has a huge flaw. The SWF file's security format does not allow for local file access for doing simple things like upload. If i can't synchronize file data to web based clouds, then i cant do much worth talking about.
    I love these products and their possibilities but i have to have the ability to communicate with the world. HTTP is the way!
    Also a side note, FTP is an insecure/inflexible solution and looks like a lot more time was spent on this aspect of the scriptable product.
    PLEASE HELP ADOBE!!!!!

  • Help w/FTP and manage site

    I am trying to get to my Comcast personal web site and I am
    trying to use Dreamweaver to create the site. When I login to the
    site on IE/FireFox useing the FTP address ftp://upload.comcast.net/
    I get in OK but in DW 8.0 I go to manage site and enter in all of
    the same info I use in IE/Fire Fox or even Front Page and I get
    that DW can not connect and the following Error:
    AN FTP Error occured. Cannot make a connection to host. The
    remote host cannot be found. If I try it on another commercial site
    I maintain and I get the same results. Is there a way to check my
    DW 8 to confirm it is working correctly?

    Please go to SITES | Manage Sites..., select the site name,
    and click on
    Edit. Click on the Advanced tab at the top. Tell me the
    following -
    Under LOCAL INFO
    The contents of "Local root folder:"
    Under REMOTE INFO
    What happens when you press Test?
    The contents of "Host directory:"
    Thanks!
    Murray --- ICQ 71997575
    Adobe Community Expert
    (If you *MUST* email me, don't LAUGH when you do so!)
    ==================
    http://www.dreamweavermx-templates.com
    - Template Triage!
    http://www.projectseven.com/go
    - DW FAQs, Tutorials & Resources
    http://www.dwfaq.com - DW FAQs,
    Tutorials & Resources
    http://www.macromedia.com/support/search/
    - Macromedia (MM) Technotes
    ==================
    "tripleo" <[email protected]> wrote in
    message
    news:ej4vth$h0a$[email protected]..
    > Hi I am having a problem with FTP and Dreamweaver MX.
    >
    > I can log in correctly, the ftp connects to my webhost
    and everything is
    > fine
    > however when i want to upload a page or something for my
    site. it gives me
    > these errors:
    >
    > ERROR1
    >
    > dreamweaver cannot determine the remote server time.
    > the select newer and synchronize commands will not be
    available.
    >
    > ERROR2
    >
    > an FTP error occurred - cannot put FILENAME.
    > 500 Unable to service PORT commands.
    >
    > Can anybody help?
    >

  • FTPS and SFTP

    hi, what is the difference between FTPS and SFTP and does XI support FTPS and SFTP.  Please elaborate.
    krishnan

    Hi also have a look at this
    if u want to view the difference between FTPS (that XI supports) and SFTP, please refer this link
    http://www.enterprisedt.com/forums/viewtopic.php?p=136&sid=28d66491b43c6bf90448deea4936bc15
    HTTPS / SFTP with XI
    Hey have a look at the following also
    http://en.wikipedia.org/wiki/FTPS
    Thanks !!

  • Automator Service to Upload to FTP and Send Email With Links

    Hello.
    Since updating my client server machines at work to 10.7, the automator workflow that I have been using for years isn't working correctly.  Basically it's a simple workflow that uses upload to FTP action version 1.5 that uploads a video file to an FTp server, copies the links to the clipboard, creates new mail message and sends it.
    For some reason, it only does 1 file at a time now.  Interestingly, it uploads the files to the server but only sends the email with the first link this worked perfectly fine on 10.6  Before you could highlight 10 files and it would upload and send the links to all of them.
    Basically, I think it's the upload to FTP action that is causing the problems.  I need applescript to upload to the FTP and copy the url's and send the email.  See attached screenshot of the workflow.  I'm an applescript newbie so any help would be great.

    I don't know what is calling your function, but you should read the file before your call to the function and pass the contents as a byte array argument. You can process the byte array like you already do in your function.
    Regards,
    Marco

  • CS6, FTP and MySQL Connection ERRORs

    Adobe CS6 Dreamweaver
    I have the latest + updates of CS6 for Mac OS X 10.7.4.latest
    I can FTP, but files are not readable after the upload, on any web hosting provider.
    I have to use a thrid party FTP application (CyberDuck or Trnsmit) to make this happen.
    NOT HAPPY about this £2500 CS6 Master Collection spend not working !!!!
    When I try to connect via MySQL I get this error and failed actions:
    https://dl.dropbox.com/u/5485939/adobe_CS6_dreamweaver_FTP_MySQL/Screen%20Shot%202012-07-1 3%20at%2011.11.57.png
    https://dl.dropbox.com/u/5485939/adobe_CS6_dreamweaver_FTP_MySQL/Screen%20Shot%202012-07-1 3%20at%2011.11.45.png
    https://dl.dropbox.com/u/5485939/adobe_CS6_dreamweaver_FTP_MySQL/Screen%20Shot%202012-07-1 3%20at%2011.11.19.png
    I have checked the folders & content for ...
    _mmServerScripts
    Connections
    are uploaded properly (having to use a third party FTP application, see above).
    I have the correct logins details for FTP and MySQL, as other MySQL Apps (Sequel Pro) have no problem connecting to any web hosting proivdier for MySQL using the exact same login details.
    This is the same on my iMac or my MacBook Pro.

    Hello David, I am having this issue getting errors while trying to get my SQL to connect with the server. I clicked on the link you provided and I get a "you do not have permission to view this" message. Can you please share what ever solution that adobe has with me too.
    I am really really irritated with this issue, as someone else stated this is really inconvenient when I want to get some work done. I am also upset that I bought this software, especially if I cant find a solution.

Maybe you are looking for

  • Macbook not recognising ipod

    I have a Macbook operating OS X and Windows Vista via Boot Camp. When I connect my ipod via USB the OS X does not recognise the connection in either Finder or iTunes. However, when I am in Vista I can see the ipod as an external drive in Windows Expl

  • ITunes 9 Grid view header disabled by default

    Ok, the subject is pretty clear. In Grid view the so-called header - the pane on top where the Albums-Artists-Genres-Composers buttons are, and also the scroll box is - is disabled in default view for every playlist, including main library. One needs

  • Your Apple ID, was just used to download Excalibur: Knights of the King from the App Store on a computer or device that had not previously been associated with that Apple ID.

    I keep receiving : Your Apple ID, ********@*******.***, was just used to download xxxxxxxx from the App Store on a computer or device that had not previously been associated with that Apple ID. You may also be receiving this email if you reset your p

  • Problem Syncing Safari Bookmarks

    I am trying to sync my Safari 5.1.1 bookmarks to my iPhone 3G using iTunes 10.5 (I do not have MobileMe).  I have tried checking the appropriate boxes in the iTunes Info page when my phone is connected to my Mac desktop (OS X 10.7.2), including the o

  • Tabular Form- PL-SQL packages

    Hi I'm building apex application with pl-sql package, that's mean i encapsulate all my DML statements into this packages (for standardization purpose) Now i want use the apex tabular from and make my DML statements throw my package not the automatic