Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ftp passive data ports

I have a question about how the PIX handles passive ports. I know that in a passive ftp conversation, when the client outside the pix requests a data connection on port 21 to a server in the dmz, the server responds with a semi-random port address above 1024 for the client to open a data connection to. The PIX monitors this conversation and dynamically opens the port for the client to connect to.

My question is, does the PIX modify the port number that the server sends? If the server tells the client to use port 1499, does the PIX just pass that port through, or does it PAT the port? What if it conflicts with another port already in use? Can it be restricted to a certain range of ports? Or, does it just do what the server requests?

Unfortunately, I don't have access to two sniffers at the remote client site to confirm this.

Any one have any ideas?



Community Member

Re: ftp passive data ports

Port redirection on a PIX ony occurs when you configure it, for example:

static (inside,outside) tcp ftp ftp netmask 0 0

The PIX will not modify the port number that the server sends, it will simply pass this traffic if permitted through the conduit or acl.

CreatePlease to create content