Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
330
Views
0
Helpful
5
Replies

FTP Question

abruso
Level 1
Level 1

‎11-20-2003 12:23 PM - edited ‎03-09-2019 05:36 AM

Using a PIX 515E and I'm trying to create an FTP session over SSL.

I'm using WS-FTP FTP program. When using regular FTP I can connect to the remote site without any problems. If I try to connect using FTP/SSL, it stops at the "MLSD" process and gives me a "425 Can't open data connection."

Do I need to do anything special on the PIX in order to get this connection to work?

Labels:
0 Helpful
5 Replies 5

scoclayton
Level 7
Level 7

‎11-20-2003 02:18 PM

Hi,

The PIX (or really any NAT device) is not going to be able to support FTP/SSL. The reason for this is becuase the PIX does a lot of things with respect to ftp. One of the things it does is to look into the data portions (or more specifically the PORT command) and see which port the client is telling the server to connect back in on. The PIX then uses this info to open the necessary holes in the security policy. Since the data is encrypted in FTP/SSL, the PIX is not able to look into the payload portions and open the proper holes, etc... Hence your connections fail in the manner you described. Sorry but I hope this helps to explain matters.

Scott

0 Helpful

abruso
Level 1
Level 1
In response to scoclayton

‎11-20-2003 02:45 PM

Thank you Scott,

Do you, or anyone else for that matter, have any suggestions on how to make a secure FTP connection through the PIX?

0 Helpful

mostiguy
Level 6
Level 6
In response to abruso

‎11-20-2003 03:26 PM

The problem is that there is no standard - some people wrap ftp in ssl, a la https (which is much, much, much more standardized), others use sftp, which is more like ssh, etc.

FTP is a disaster - the multiple ports for the control and data channels leave a legacy of chaos. Thus, when you have various inoperable encryption+ftp solutions out there, there is no real way to expect firewalls to be able to proxy them all.

SCP, included with openssh, and some other programs, is like unix rcp encrypted with ssh, so it works through one port, tcp 22. openssh's sftp server might work the same way. SCP would probably be how I would do it on unix-like OS's

On windows, I would (and do) use https, and WEBDAV on IIS. webdav is an standard extension of http - you can browse files, explorer like in IE (mozilla/netscape don't support webdav yet), and cut and paste files to /from the webserver.

0 Helpful

abruso
Level 1
Level 1
In response to mostiguy

‎11-21-2003 12:59 PM

Unfortunately, the FTP server isn't under my control. We are the client, trying to connect our business partners web server. Trying to get them to use Webdav and such would be a hard task.

Thanks for the suggestions.

0 Helpful

hando
Level 1
Level 1
In response to abruso

‎11-20-2003 05:20 PM

Just wonder you have tried the no fixup protocol for ftp.

0 Helpful
Customers Also Viewed These Support Documents