Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Passive FTP through PIX 515e ver 7

On the PIX I have "ftp mode passive" & "inspect ftp" enabled. I also have an OUTSIDE ACL rules allowing access to the ftp-server which eq ftp & ftp-data. In my efforts to get passive ftp working, I also have a DMZ ACL rule allowing the ftp-server access out which eq ftp & ftp-data (most probably not needed). When I watch the connection logs on my ftp client it does not make a passive connection, I watch the connection being established through the ASDM log entries on the PIX and I can see the session being set-up for what appears to be active ftp only (ports 20&21), I cannot see any high ports being connected either on the PIX or on the connection log of the ftp client. Is there anything more that has to be enabled on the PIX to help establish passive ftp, or should I be looking at the ftp-server? Not sure?

4 REPLIES
Cisco Employee

Re: Passive FTP through PIX 515e ver 7

may be the FTP server is set like that. or perhaps you try removing the ip inspect ftp and see what is the difference

New Member

Re: Passive FTP through PIX 515e ver 7

I have tried removing "inspect ftp" and other settings that I believe relate to ftp but that has made no difference.

This is basically what I have set on PIX wrt ftp:

ftp mode passive

access-list DMZ extended permit tcp object-group x.x.x.x any eq ftp

access-list DMZ extended permit tcp object-group x.x.x.x any eq ftp-data

(this dmz acl is probably not required)

access-list OUTSIDE extended permit tcp any object-group x.x.x.x eq ftp

access-list OUTSIDE extended permit tcp any object-group x.x.x.x eq ftp-data

inspect ftp

class-map FTP-DATA

match port tcp eq ftp-data

class FTP-DATA

police 1000000 1500000

Is there anyway of seeing if the PIX is blocking the highports?

Cisco Employee

Re: Passive FTP through PIX 515e ver 7

simply turn on logging and do "show log", log will capture if anything is denied.

thanks

Nadeem

New Member

Re: Passive FTP through PIX 515e ver 7

add entry to outbound acl

access-list xxxxx permit tcp any any gt 1024

427
Views
0
Helpful
4
Replies