Welcome to ISAserver.org

Weird FTP problems via ISA 2004? Running Cisco Pix too? Try this.

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> General >> Weird FTP problems via ISA 2004? Running Cisco Pix too? Try this.

Page: [1]

Message

<< Older Topic Newer Topic >>

Weird FTP problems via ISA 2004? Running Cisco Pix too... - 15.Jul.2005 9:08:00 AM

Guest

I have been struggling for a while with FTP connections through ISA (in single NIC configuration) sitting behind a Cisco Pix 515.

Users were seeing an error along the lines of:

ISA Server: extended error message :
200 Type set to I.
500 Invalid PORT Command.

It turns out that we have been running the Pix with it's FTP fixup feature disabled (which worked with ISA 2000).

I can only assume that ISA 2004 implements FTP in a slightly different way, as enabling FTP fixup on the Pix has solved the problem.

Hope this helps someone, as I ended up installing a Linux box with Squid proxy to get around it!

Post #: 1

Featured Links*

RE: Weird FTP problems via ISA 2004? Running Cisco Pix... - 15.Jul.2005 9:20:00 AM

tshinder

Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online

Hi J,

Try installing the ISA firewall in full firewall mode with multiple NICs. Its designed for that, plus Web proxy FTP is somewhat limited.

HTH,
Tom

(in reply to Guest)

Post #: 2

RE: Weird FTP problems via ISA 2004? Running Cisco Pix... - 15.Jul.2005 10:24:00 AM

Guest

Thanks for the advice Tom.

Maybe I've selected the wrong proxy product. I don't need ISA to be a firewall - I have Cisco Pix.

All I want is to be able to authenticate users against Active Directory for HTTP, HTTPS & FTP access to external sites, log that access, do a bit of caching to improve end-user experience and provide a bit of content control too (I use the HTTP filter to block common media file extensions).

Now I've ironed out that ISA/Pix issue, ISA acting simply as a proxy server in single NIC configuration seems to tick all the above boxes, except FTP upload. The FTP access filter is enabled and the FTP read only checkbox is unchecked on the rule that allows FTP access.

I guess this is, as you say, simply a limitation of web proxy FTP, with the only workaround being to install multiple NICs, configure ISA in full firewall mode and use firewall clients on workstations.

I don't want to have to do this.

I know that proxy servers in general can proxy FTP upload without the need for special client software.

The problem I face is that I don't think there is another product out there that does everything I need as well as ISA does most of the things I need (I'm sure there is a better way to phrase that!).

Maybe I should think about implementing SOCKS on ISA as a workaround?

Regards,

Jamie

(in reply to Guest)

Post #: 3

RE: Weird FTP problems via ISA 2004? Running Cisco Pix... - 15.Jul.2005 3:21:00 PM

LLigetfa

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline

quote:
Originally posted by <j823777>:
I don't need ISA to be a firewall - I have Cisco Pix

LOL
Let me run for cover while Tom suits up.

You NEED it to be a firewall BECAUSE of Pix!

(in reply to Guest)

Post #: 4

RE: Weird FTP problems via ISA 2004? Running Cisco Pix... - 15.Jul.2005 3:31:00 PM

isawader

Posts: 420
Joined: 27.Apr.2005
Status: offline

quote:
Maybe I've selected the wrong proxy product. I don't need ISA to be a firewall - I have Cisco Pix.

I have no doubt that this line will be quoted in Tom's next book.

[Big Grin]

[ July 15, 2005, 06:32 PM: Message edited by: ISAwader ]

(in reply to Guest)

Post #: 5

RE: Weird FTP problems via ISA 2004? Running Cisco Pix... - 15.Jul.2005 9:20:00 PM

Guest

quote:
Originally posted by LLigetfa:

quote:
Originally posted by <j823777>:
I don't need ISA to be a firewall - I have Cisco Pix
LOL
Let me run for cover while Tom suits up.

You NEED it to be a firewall BECAUSE of Pix!

This response really surprises me.

I'm certainly not a Cisco fanboy, but I read a lot of industry press & product evaluations, and in almost every example the Pix firewall is very highly regarded. Even more so with v7.0.

I've been using it for around four years without many serious complaints (like anything it has it's idiosyncrasies that make it slightly frustrating to configure unless you know the 'Cisco way' of doing something).

Please explain why you believe there is a need to use ISA's firewall in addition to Pix. What does ISA bring to the table, in terms of it's firewall feature set, that Pix cannot provide?

I have to say I wouldn't be too keen on having to rely on a 3rd party product to properly implement load balancing / stateful failover (See summary here: http://www.isaserver.org/img/upl/haisaserver/ha_isaserver3_files/frame.htm). I really don't know if I'd be comfortable routing all of my traffic through it because of this.

Although I can't say I've set up load-balanced ISA servers, setting up active/active (with asymmetric routing support) or active/standby (with stateful failover) with Pix seems to be a breeze in comparison.

I appreciate the benefit of having two firewalls from different vendors at the perimeter, but my choice for a secondary firewall (if I had the budget!) would be Fortinet, not a Microsoft firewall running on Windows.

I don't want to start a flame war - I'd just appreciate it if you'd provide some substance to backup your remarks.

<applies flamesuit & ducks just in case>

(in reply to Guest)

Post #: 6