Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX 501 - FTP Passive Mode

Hello,

I just bought a new PIX501 to replace an existing linksys NAT box. Behind the NAT box, I run ServU ftp and it's is configured to run passive mode in port range 60000 to 60040. Now, i want to configure the PIX to take care of ftp passive mode, i got as far as the following commands.

access-list FTPonly permit tcp any object-group passive_mode interface outside o

bject-group passive_mode (object-group port range = 60000 - 60040)

static (inside,outside) tcp 444.333.222.1 60000 192.168.5.111 60000 netmask 25

5.255.255.255 0 0

static (inside,outside) tcp 444.333.222.1 60001 192.168.5.111 60001 netmask 25

5.255.255.255 0 0 (192.168.5.111 = ftp server)

.......up to port 60040 with static commands.

When i tried to use the PIX, ftp passive mode did not work. What do you think?

plus, is there a command to apply static on range of ports as supposed to single port.

Thanks,

Travis.

3 REPLIES
New Member

Re: PIX 501 - FTP Passive Mode

Hi Travis,

The PIX firewall is able to handle passive FTP connections through the 'fixup protocol ftp 21' command which is on by default. The PIX requires an access list and static for connection to the command port of 21 on the server and statics for each of the data ports 60000-60040 (unfortunately, there is no range command for port redirection statics on the 501). The PIX will create a dynamic ACE for the data port in use provided by the PASV response packet.

http://www.ciscopress.com/articles/article.asp?p=24685&rl=1

Cheers,

Paul.

New Member

Re: PIX 501 - FTP Passive Mode

Hi Paul,

object-group service passive_mode tcp

port-object range 60000 60040

access-list FTPonly permit tcp any host 444.333.222.111 eq ftp

access-list FTPonly permit tcp any object-group passive_mode interface outside o

bject-group passive_mode

static (inside,outside) tcp 444.333.222.111 ftp 192.168.5.111 ftp netmask 255.25

5.255.255 0 0

static (inside,outside) tcp 444.333.222.111 60000 192.168.5.111 60000 netmask 255.

255.255.255 0 0

static (inside,outside) tcp 444.333.222.111 60001 192.168.5.111 60001 netmask 255.

255.255.255 0 0

static (inside,outside) tcp 444.333.222.111 60002 192.168.5.111 60002 netmask 25

....up to 60040 with static commands

access-group FTPonly in interface outside

will the above commands work? how do you write dynamic ACE?

Thanks,

Travis.

New Member

Re: PIX 501 - FTP Passive Mode

Travis,

In addition to what Paul said, on ServU make sure all your options are checked including the specified PASV port range. In addtion, double check this link:

http://rhinosoft.com/KBArticle.asp?RefNo=1044∏=su

I have used a 515E in front of ServU before...however I did not have to specify static port maps for the PASV range since we had a Public IP just for the FTP server. A static internal/external IP translation took care of all ports destined for it. We only had to open up port 21 and a small range of passive ports in the ACL. I can't vouch for strictly using port mapping on the outside interface such as in your case.

If I re-covered any ground for you, I apologize...just going off your post.

Kyle

1227
Views
0
Helpful
3
Replies
CreatePlease to create content