FTP DMZ creation

Unanswered Question
Mar 6th, 2007

I have a PIX 515E set up with statefull failover.

Do I have to have a DMZ bundle in order to configure a DMZ for an FTP server?

Is all that is needed is to set up an interface on one of the 3 remaining available and configure the security for it?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
vitripat Tue, 03/06/2007 - 14:15

You could just place the FTP server on the existing inside interface and map it to a public IP using the static command. This wont be a recommended setup though.

Recommended setup would be to use a separate interface altogether for publically accessible servers and map them to public IPs from there. Heres a link which shows placing a mail server in dmz network and allowing access to it-



You can just replace the ports from smtp to ftp and "inspect esmtp" with "inspect ftp" in 7.x code and "fixup protocol smtp 25" with "fixup protocol ftp 21" in 6.x code.



vitripat Tue, 03/06/2007 - 15:27

If you purchases a DMZ bundle chassis, you will have a extra NIC card, which can be used as a DMZ interface.

If you purchases a simple chassis, with only 2 interfaces and "Restricted" license, then you can install a 1-port FE card and use this new FE interface as the DMZ interface. "Restricted" license allows use of maximum 3 interfaces, including inside and outside interface. However, if you have "Unrestricted" license, you can even use a 4-port FE card and create 4 different DMZ interfaces !!



richmorrow624 Tue, 03/06/2007 - 16:24

we have a total of five interfaces.

Three are used with IP addresses and one is used as a failover interface.

How can i tell if "unrestricted license?

Jon Marshall Wed, 03/07/2007 - 00:26


Do a "sh ver" on your firewall.

This is taken from one of our Pix515E firewalls.


sh ver

Cisco PIX Firewall Version 6.3(3)

Cisco PIX Device Manager Version 3.0(1)

Compiled on Wed 13-Aug-03 13:55 by morlee

MD-DESC-F01-FW01 up 173 days 19 hours

Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : Crypto5823 (revision 0x1)

0: ethernet0: address is 0011.5cc3.7133, irq 10

1: ethernet1: address is 0011.5cc3.7134, irq 11

2: ethernet2: address is 000d.88ef.0300, irq 11

3: ethernet3: address is 000d.88ef.0301, irq 10

4: ethernet4: address is 000d.88ef.0302, irq 9

5: ethernet5: address is 000d.88ef.0303, irq 5

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Physical Interfaces: 6

Maximum Interfaces: 10

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

This PIX has an Unrestricted (UR) license.

Serial Number: 808252051 (0x302cf293)

Running Activation Key: 0xb62825e8 0x0c995dfa 0x80855127 0x9d6215c3

Configuration last modified by enable_15 at 08:24:17.335 GMT Wed Mar 7 2007


Key things to look at

Maximum number of physical interfaces

+ obviously at the bottom of the output it tells you which license it is running.



richmorrow624 Wed, 03/07/2007 - 04:23

Thanks for the replys guys.

One last question:

We have one of the interfaces being used by a customer and the two failover PIX firewalls are connected to a cisco 12 port switch on his DMZ.

Is it acceptable practice to VLAN the switch and use some of the ports for another DMZ?

Or best to physically isolate them with another switch?

Jon Marshall Wed, 03/07/2007 - 04:35

A lot depends on the level of security you need. I have seen both separate switches used and a combined switch with all the vlans on that one switch.

The key concerns with using the same switch for multiple DMZ's are

1) a configuration mistake could lead to a security risk

2) Vlan hopping ie. begin able to jump across vlans

3) Vlan 1 which should not be used on a DMZ switch.

I think you will be fine with what you propose as long as you understand the issues with multiple vlans on a switch.

Attached is a paper on vlan security from Cisco. It's about 6500 switches but a lot of the information applies to all switches.




richmorrow624 Wed, 03/07/2007 - 05:24

Thanks Jon,

So I just create a new VLAN on the firewall for the DMZ, then uplink to the appropriate switchports on the switch?

Jon Marshall Wed, 03/07/2007 - 05:28


If your'e using one of your spare interfaces then you don't need to create a vlan on your firewall, you just use one of the spare interfaces. Allocate the ports on the switch to a new vlan and then connect the pix interface into one of those ports.

The pix firewall would only need to know about vlans if you were going to run 802.1q trunking on one of the pix interfaces and i don't believe this is what you are trying to do.

If i have misunderstood please let me know



richmorrow624 Wed, 03/07/2007 - 05:47

No Jon,

You are spot on.

Sorry but another question:

What about FTP, I am unsure about passive mode.

What is the best way to set that up?

Jon Marshall Thu, 03/08/2007 - 00:40


If you are going to run passive ftp you generally do not want to have the fixup ftp command on.

The fixup ftp was primarily designed for active ftp.

As far as the rule base goes if you are allowing all traffic out from the inside and you are talking about ftp to the outside then you should be fine with passive ftp as both the data and control connection are initiated by the client.




This Discussion