Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FTP through PIX

Hello all:

I am in the initial stages of setting up an FTP server in our network which will need to be accessible from the outside and through our PIX. Is there any tutorial or article that anyone knows about which could guide me through the PIX portion of it to ensure it has the right settings to allow connections through and data to be sent back to clients.

Thanks,

John

2 REPLIES

Re: FTP through PIX

The common way to allow outsider/internet users to access your FTP server is via this method:

1. Map your internal FTP Server to a dedicated Public IP Address to enable internet users to access your FTP server.

You can either use dedicated public IP (preferred), or use PIX Outside interface IP with port re-direction.

2. Configure/add access-list (ACL) on the PIX Outside interface allowing any or specific external IP to access to your FTP server via its Public IP. T

Example:

Internal FTP Server IP: 10.10.10.10

Public IP: 192.168.100.10

a. Mapping internal FTP Server on Inside segment (same if it's in DMZ)

static (inside, outside) 192.168.100.10 10.10.10.10 netmask 255.255.255.255

b. Create/add ACL & bind to Outside interface

access-list outside-access_in permit icmp any host 192.168.100.10 --> allow PING to test FTPsvr reachability. Remove after the test.

access-list outside-access_in permit tcp any host 192.168.100.10 eq 21

access-list outside-access_in deny ip any any

access-group outside-access_in in interface outside--> bind ACL to Outside interface

* Make sure your PIX set the default route correctly to the Internet router

The return traffic back to clients normally has no issue with PIX as it'll keep the connection/session status in its state table.

You can test the reachability/connectivity between client and server using the above ping (ICMP) test.

PIX's doc on allowing inbound connection:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278e.html#wp1069973

HTH

AK

New Member

Re: FTP through PIX

Matee,

I would add one note to this:

Make sure that application inspection is enabled for FTP.

The command will be: "fixup protocol ftp 21" if you are using PIX OS 6.X.X (http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1067379) and will be "inspect ftp" if you are using PIX OS 7.X.X (http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a008063f0e8.html#wp1664935).

This will be needed to make sure that your PIX will allow both Active and passive FTP.

Hope this helps.

Cheers.

138
Views
0
Helpful
2
Replies
CreatePlease login to create content