I have a PIX 515UR 6.3(2), behind which I have an FTP server running WS_FTP server. With the help of WS_FTP we enabled SFTP by setting up clear channel to open the FTP communication.
Two things I am struggling with and WS_FTP has said I need someone with extensive firewall knowledge to resolve. 1) Remote connections, have to set their FTP client software to use active state, because passive will not work.
2) This may feed off #1, but I would also like to be able to provide Internet Explorer browser based FTP access to my site as needed. We run into some clients that have no FTP client software and they are having to download trial copy of WS_FTP to get access to our server.
I understand I haven't been real specific with my questions, but any advice is appreciated, at which time I can get into deeper detail.
This is because with SFTP the whole exchange is encrypted. This means that the PIX can't inspect the communications on the control channel (PORT or PASV, specifically) that dictate what the data channel is going to be. Since the PIX can't see what the data channel is going to be, it can't open up a hole for the traffic to pass through. In this situation you will probably be able to connect to an SFTP server, but you won't be able to list directories or transfer files.
There may be a workaround, if your client supports it. Some programs (WS_FTP is one, I think), have an option to send the control channel traffic in the clear, while still encrypting the data channel. This will allow the PIX to anticipate the data channel and allow it, and still have SFTP protect your data.
I had read Matt's msg, and I have SFTP working by sending the control channel traffic in the clear.
Made I should clarify. Remote users have the option of connecting to my FTP server either with standard FTP or SFTP. My two question from original post relate to normail FTP traffic and allowing that in PASV mode which I think will then open up Internet Explorer to access my FTP server.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :