I want to apply an ACL controling what services are permitted on the Internet. So I will create an ACL on the Inside interface IN that will allow for 80,53,20,21 etc... My question is regarding FTP, from my log analysis I see that during FTP many ports are used in the high range(I guess this is part of the Active mode) if I don't enter all those ports in my access-list will the fixup compensate for those or will the FTP fail.
Fixup ftp performs several functions with respect to ftp traffic. One of which is monitoring active ftp communications. In an active mode, ftp clients send PORT commands to the server instructing that server to connect back to them on random high ports (normally). The PIX is able to look at the PORT commands and open a connection on the PIX to allow the server to connect back to the client on this high port. In your case, it sounds like the ftp server is inside the PIX and the clients are outside. Is that correct? If you want to apply an ACL to your inside interface to prevent your internal clients from opening random connections, you can do this. In this case, the 'fixup ftp' command should monitor the traffic and punch a dynamic hole in the inside access-list to allow the internal server to connect back to the external client on the random high port. If this is not the scenerio you are referring to, please let us know. Thanks.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :