Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1057
Views
0
Helpful
5
Replies

Pix Firewall and passive FTP

apaxson
Level 1
Level 1

‎09-03-2002 06:37 PM - edited ‎02-20-2020 10:13 PM

How can I use passive FTP through the Pix Firewall?? I've tried everything to get this to work. I've tried using established commands. I've tried using conduit commands enabling all the high ports back to the originating host (1024-65535). Nothing is working.

However, once I do "no fixup protocol ftp" it works just fine. However, our other FTP operations fail when I do this. Is there any way I can get these two functions to work through our PIX?

Huge thanks in advance. My company is very dependant on these services.

Aaron Paxson

IT Systems Analyst

Decorative Concepts

0 Helpful
5 Replies 5

apaxson
Level 1
Level 1

‎09-06-2002 08:28 AM

Anyone have any ideas??

0 Helpful

mike-greene
Level 4
Level 4
In response to apaxson

‎09-06-2002 10:47 AM

Hi, have you tried a range of ports for fixup to inspect? Something like......

fixup protocol ftp 21-65535

I'm not sure if this will inspect all traffic leaving on those ports though.

Anyone else?

0 Helpful

apaxson
Level 1
Level 1
In response to mike-greene

‎09-06-2002 12:30 PM

No, I haven't tried the range of ports. Just 21. I'll do that and see what happens.

I have found out some other information. In going through my logs I have this:

8:08:02am %PIX-6-302001: Built outbound TCP connection xxxxxx for faddr a.b.c.d/80 gaddr

8:08:02am %PIX-5-304001: Accessed URL a.b.c.d:/filename.cab

8:08:02am %PIX-6-302002: Teardown TCP connection xxxxx faddr a.b.c.d/80 gaddr

8:08:02am %PIX-5-106015: Deny TCP (no connection) from a.b.c.d/80 to flags PSH ACK

It looks like the PIX tears down the connection before I'm finished. Any reason why? Is there a timeout issue going on? This has been working for a few months now. I had to turn off our PIX's to move them to a new location, and then brought them back up. The contents of the memory were saved. I'm having the hardest time trying to figure this out.

0 Helpful

6a.araishy
Level 1
Level 1

‎09-07-2002 11:07 PM

When you do the no ftp fixup ptotocol, you are disabling the ftp server to open the ftp data connection to the client to establish the data connections. If you want both port mode and passive mode to work at the same time. add an access list that specifically allow the ftp servers to open data connection from port 21 to the clients, good luck.

0 Helpful

apaxson
Level 1
Level 1
In response to 6a.araishy

‎09-09-2002 09:30 AM

Thank you very much for your response! That makes alot of sense. Would I also use a conduit command opening up the port back through the firewall, or would I just need an access-list? I have one access-list applied to my inside interface, and use conduit commands to come back through the firewall into my private network.

Thanks for the response!

Aaron

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card