I just bought a new PIX501 to replace an existing linksys NAT box. Behind the NAT box, I run ServU ftp and it's is configured to run passive mode in port range 60000 to 60040. Now, i want to configure the PIX to take care of ftp passive mode, i got as far as the following commands.
access-list FTPonly permit tcp any object-group passive_mode interface outside o
bject-group passive_mode (object-group port range = 60000 - 60040)
The PIX firewall is able to handle passive FTP connections through the 'fixup protocol ftp 21' command which is on by default. The PIX requires an access list and static for connection to the command port of 21 on the server and statics for each of the data ports 60000-60040 (unfortunately, there is no range command for port redirection statics on the 501). The PIX will create a dynamic ACE for the data port in use provided by the PASV response packet.
I have used a 515E in front of ServU before...however I did not have to specify static port maps for the PASV range since we had a Public IP just for the FTP server. A static internal/external IP translation took care of all ports destined for it. We only had to open up port 21 and a small range of passive ports in the ACL. I can't vouch for strictly using port mapping on the outside interface such as in your case.
If I re-covered any ground for you, I apologize...just going off your post.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :