I just updated to PIX v7.22 code. FTP worked great before. After update, FTP is broken on all Internet Explorer 7 clients and only works intermittently on Internet Explorer v6.0. I have about 20 end- users who rely on FTP. I do not do Anonymous FTP. Part of my research led to a port speed/duplex mismatch, so I checked my HP 2524 and PIX
515. Indeed, there was a mismatch, so I corrected it. Here is my PIX config. Thanks in advance for the help.! PIX Version 7.2(2) ! hostname domain-name enable password xxxxxxxxxx encrypted names dns-guard ! interface Ethernet0 description This is the Outside/LOWER/PUBLIC Security Interface nameif outside security-level 0 ip address x.x.x.106 255.255.255.248 ! interface Ethernet1 description This is the Inside/Higher/Private Security Interface nameif inside security-level 100 ip address x.x.x.1 255.255.255.0 ! interface Ethernet2 description This is the DMZ/Middle Security Interface shutdown nameif intf2 security-level 4 no ip address ! passwd xxxxxxxxxxx encrypted ftp mode passive dns server-group DefaultDNS domain-name digitalti.net access-list 101 extended permit tcp any host x.x.x.106 eq smtp access-list 101 extended permit tcp any host x.x.x.106 eq 3389 access-list 101 extended permit tcp any host x.x.x.106 eq 3391 access-list 101 extended permit tcp any host x.x.x.106 eq www access-list 101 extended permit tcp any host x.x.x.106 eq ftp access-list 101 extended permit tcp any gt 1023 host x.x.x.106 eq ftp- data pager lines 24 logging trap debugging logging asdm informational logging host inside x.x.x.x mtu outside 1500 mtu inside 1500 mtu intf2 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image flash:/asdm-522.bin asdm history enable arp timeout 14400 nat-control global (outside) 1 x.x.x.108-x.x.x.109 netmask 255.255.255.248 global (outside) 1 x.x.x.107 netmask 255.255.255.248 nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp x.x.x.106 smtp 192.168.1.20 smtp netmask
255.255.255.255 static (inside,outside) tcp x.x.x.106 www 192.168.1.20 www netmask 255.255.255.255 static (inside,outside) tcp x.x.x.106 3391 192.168.1.23 3391 netmask 255.255.255.255 static (inside,outside) tcp x.x.x.106 ftp 192.168.1.20 ftp netmask 255.255.255.255 static (inside,outside) tcp x.x.x.106 3389 192.168.1.20 3389 netmask 255.255.255.255 access-group 101 in interface outside route outside 0.0.0.0 0.0.0.0 x.x.x.105 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius http server enable http x.x.x.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps snmp authentication linkup linkdown coldstart no sysopt connection permit-vpn telnet x.x.x.0 255.255.255.0 inside telnet timeout 15 ssh timeout 5 ssh version 1 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect h323 h225 inspect h323 ras inspect http inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect ftp ! service-policy global_policy global tftp-server inside x.x.x.23\\04252007-pix.txt prompt hostname contextSyslog output
2007-04-30 18:10:08 Local4.Info 192.168.1.1 %PIX-6-106015: Deny TCP (no connection) from {public ip}/1230 to {public ip}/21 flags RST ACK on interface outside 2007-04-30 18:10:08 Local4.Debug 192.168.1.1 %PIX-7-609002: Teardown local-host outside:{public ip} duration 0:00:00