Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

blocking ssh version 1, snmp version 1 and allow only passive FTP on pix

I need to migrate some customers from Checkpoint over

Cisco Pix firewalls, NOT ASA.

Currently in the checkpoint security policy, we only

allow snmp version 2 and version 3 to traverse the

firewalls. Furthermore, we also allow only ssh

version 2 from traversing the firewalls. In other

words, ssh version 1 and snmp version 1 are NOT

allowed and will be dropped by Checkpoint Smartdefense.

Is this something that can be done with Cisco Pix

firewalls version 7.2(2)? If so, how?

Is it also possible to allow ONLY passive ftp through

the pix firewall? On the checkpoint firewall, I have

a static NAT of a private host IP of to a

public IP address of I only allow passive

ftp from External this host, NO active FTP is allowed.

BTW, I understand well how passive and active ftp work.

It seems to me that if I have static NAT involved,

the Pix firewall can not allow ONLY passive ftp through

it. Worse, I use "no fixup protocol ftp 21", both

passive and active ftp stops working with NAT.

If I disable NAT, then I can block active ftp on the

pix firewall by setting up properly ACL and "no fixup

protocol ftp 21".

Is it possible to allow only passive FTP through the pix

firewall 7.2(2) with static NAT? It doesn't seem to be

working for me in my testing.

any ideas?



Re: blocking ssh version 1, snmp version 1 and allow only passiv

PAT works with Domain Name Service (DNS), FTP and passive FTP, HTTP, mail, remote-procedure call (RPC), rshell, Telnet, URL filtering, and outbound traceroute.


Re: blocking ssh version 1, snmp version 1 and allow only passiv

Hello again David. You've certainly got your work cut out for you. You should be able to do the SNMP inspection. Go into the global properties->inspect maps->snmp. click add. name the inspection map and click which versions you want to disallow. Now go into the security policy->service policy rules. Edit the default rule. In the rule actions, make sure SNMP is checked and click configure. select the map you created earlier.

As far as FTP. I'm strictly a PIX gui user at this point and I see no option for restricting the type to active or passive.

CreatePlease login to create content