Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Active FTP problem between Checkpoint and Cisco PIX

Hello,

I'm experiencing a strange problem.

A lot of our customers have got a Checkpoint FW-1/VPN-1 4.1 SP6 (the last before NG). When they try to connect to a FTP server located behind a Cisco PIX Firewall, they're not able to transfer data: the connection established, the authentication follow, but at the "LIST" step the connection "freeze" and the user has to close the FTP client.

Users are experiencing this problem ONLY in active mode: the passive mode works fine. Turn the FTP client in the passive mode isn't a workaround acceptable for most of my customers.

The problem seems to be related only to Cisco PIX Firewall and active FTP.

Please, has anyone encountered the same problem?

Could anyone give me any help?

Thank you in advance.

Paolo

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Active FTP problem between Checkpoint and Cisco PIX

Yes this is a (global) problem, even with the latest checkpoint firewalls. What happens with active FTP, is that each command (get, list etc.) will cause the client to open another session (source port) to the server on port 21. If you run netstat from the client you can check this out for yourself.

What normally happens with HTTP, FTP, telnet what have ya, is that the client establishes a connection to port 21, 23 etc. and then returns with a source port such as 1936, 1980, 3000 etc.

Problem with statefull connect firewalls is that they do not allow multiple control sessions over one destination port number, so only one source port can be linked to a destination port, in this case 21 for FTP. I don´t see it changed any time soon, since it´s an extreme security risk, someone else might be hopping along the session, and blocking that type of traffic is what stateful firewalls are all about, and FTP servers are problably the most hacked machines on the planet.

You´ve mentioned the workaround, unfortunately that´s the only way, change your clients to passive, I believe Unix/Linux clients have a problem with this, changing your FTP server might also help, there are several servers which can be configured to disable active FTP, I wouldn´t know exactly, I only do networks & firewalls... maybe someone else can tip on this...

2 REPLIES
New Member

Re: Active FTP problem between Checkpoint and Cisco PIX

Yes this is a (global) problem, even with the latest checkpoint firewalls. What happens with active FTP, is that each command (get, list etc.) will cause the client to open another session (source port) to the server on port 21. If you run netstat from the client you can check this out for yourself.

What normally happens with HTTP, FTP, telnet what have ya, is that the client establishes a connection to port 21, 23 etc. and then returns with a source port such as 1936, 1980, 3000 etc.

Problem with statefull connect firewalls is that they do not allow multiple control sessions over one destination port number, so only one source port can be linked to a destination port, in this case 21 for FTP. I don´t see it changed any time soon, since it´s an extreme security risk, someone else might be hopping along the session, and blocking that type of traffic is what stateful firewalls are all about, and FTP servers are problably the most hacked machines on the planet.

You´ve mentioned the workaround, unfortunately that´s the only way, change your clients to passive, I believe Unix/Linux clients have a problem with this, changing your FTP server might also help, there are several servers which can be configured to disable active FTP, I wouldn´t know exactly, I only do networks & firewalls... maybe someone else can tip on this...

New Member

Re: Active FTP problem between Checkpoint and Cisco PIX

The problem is port 20. The ftp server is attempting to open a connection to the client to send the data. The ftp server uses port 20 to send the data. If your pix does not have any outbound filtering then the problem is with the CP. The CP is denying the ftp server access to the client device to send the data.

1407
Views
0
Helpful
2
Replies
CreatePlease login to create content