Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Browser FTP access through PIX 515

Looking for some help.

I have a PIX 515UR 6.3(2), behind which I have an FTP server running WS_FTP server. With the help of WS_FTP we enabled SFTP by setting up clear channel to open the FTP communication.

Two things I am struggling with and WS_FTP has said I need someone with extensive firewall knowledge to resolve. 1) Remote connections, have to set their FTP client software to use active state, because passive will not work.

2) This may feed off #1, but I would also like to be able to provide Internet Explorer browser based FTP access to my site as needed. We run into some clients that have no FTP client software and they are having to download trial copy of WS_FTP to get access to our server.

I understand I haven't been real specific with my questions, but any advice is appreciated, at which time I can get into deeper detail.

THANKS!

2 REPLIES

Re: Browser FTP access through PIX 515

Matt wrote last a couple of days before:

SFTP is not supported through the PIX.

This is because with SFTP the whole exchange is encrypted. This means that the PIX can't inspect the communications on the control channel (PORT or PASV, specifically) that dictate what the data channel is going to be. Since the PIX can't see what the data channel is going to be, it can't open up a hole for the traffic to pass through. In this situation you will probably be able to connect to an SFTP server, but you won't be able to list directories or transfer files.

There may be a workaround, if your client supports it. Some programs (WS_FTP is one, I think), have an option to send the control channel traffic in the clear, while still encrypting the data channel. This will allow the PIX to anticipate the data channel and allow it, and still have SFTP protect your data.

Thanks,

Matt

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddc28cc/4#selected_message

sincerely

Patrick

New Member

Re: Browser FTP access through PIX 515

Thank You Patrick,

I had read Matt's msg, and I have SFTP working by sending the control channel traffic in the clear.

Made I should clarify. Remote users have the option of connecting to my FTP server either with standard FTP or SFTP. My two question from original post relate to normail FTP traffic and allowing that in PASV mode which I think will then open up Internet Explorer to access my FTP server.

131
Views
0
Helpful
2
Replies
CreatePlease login to create content