I could use a bit of assistance in getting FTPs working through my PIX. It seems that the control connection is encrypted and the firewall doesn't seem to be able to figure out what to do with the connection.
Would anyone happen to know a way around this issue?
find a different product. there is no real standard for encrypting ftp, so a lot of vendors do it different ways. The pix thus cannot have application level proxies for it (the way it does for standard ftp) because the permutations are near infinite. It sounds like your application will probably dynamically assign ports, and thus not work well without opening them all up. Look for a solution that makes just one socket connection through one port - OpenSSH's scp does this, I am not sure if their sftp impletementation does. WinSCP is a very good windows gui explorer-like scp application.
Unfortunately, this type of connection is being dictated to us by our customers and the option to switch to a different solution isn't available. We do have some sftp implementations in place, and they are certainly prefered.
You've guessed correctly about the dynamically assigned ports. Is there any way I can narrow what I allow through a bit as opposed to allowing things to be wide open in both directions? In our scenario, it will be our users connecting to a client's ftp server out on the Internet.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...