Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

FTP Question

Using a PIX 515E and I'm trying to create an FTP session over SSL.

I'm using WS-FTP FTP program. When using regular FTP I can connect to the remote site without any problems. If I try to connect using FTP/SSL, it stops at the "MLSD" process and gives me a "425 Can't open data connection."

Do I need to do anything special on the PIX in order to get this connection to work?


Re: FTP Question


The PIX (or really any NAT device) is not going to be able to support FTP/SSL. The reason for this is becuase the PIX does a lot of things with respect to ftp. One of the things it does is to look into the data portions (or more specifically the PORT command) and see which port the client is telling the server to connect back in on. The PIX then uses this info to open the necessary holes in the security policy. Since the data is encrypted in FTP/SSL, the PIX is not able to look into the payload portions and open the proper holes, etc... Hence your connections fail in the manner you described. Sorry but I hope this helps to explain matters.


New Member

Re: FTP Question

Thank you Scott,

Do you, or anyone else for that matter, have any suggestions on how to make a secure FTP connection through the PIX?


Re: FTP Question

The problem is that there is no standard - some people wrap ftp in ssl, a la https (which is much, much, much more standardized), others use sftp, which is more like ssh, etc.

FTP is a disaster - the multiple ports for the control and data channels leave a legacy of chaos. Thus, when you have various inoperable encryption+ftp solutions out there, there is no real way to expect firewalls to be able to proxy them all.

SCP, included with openssh, and some other programs, is like unix rcp encrypted with ssh, so it works through one port, tcp 22. openssh's sftp server might work the same way. SCP would probably be how I would do it on unix-like OS's

On windows, I would (and do) use https, and WEBDAV on IIS. webdav is an standard extension of http - you can browse files, explorer like in IE (mozilla/netscape don't support webdav yet), and cut and paste files to /from the webserver.

New Member

Re: FTP Question

Unfortunately, the FTP server isn't under my control. We are the client, trying to connect our business partners web server. Trying to get them to use Webdav and such would be a hard task.

Thanks for the suggestions.

New Member

Re: FTP Question

Just wonder you have tried the no fixup protocol for ftp.