Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix Firewall and passive FTP

How can I use passive FTP through the Pix Firewall?? I've tried everything to get this to work. I've tried using established commands. I've tried using conduit commands enabling all the high ports back to the originating host (1024-65535). Nothing is working.

However, once I do "no fixup protocol ftp" it works just fine. However, our other FTP operations fail when I do this. Is there any way I can get these two functions to work through our PIX?

Huge thanks in advance. My company is very dependant on these services.

Aaron Paxson

IT Systems Analyst

Decorative Concepts

New Member

Re: Pix Firewall and passive FTP

Anyone have any ideas??


Re: Pix Firewall and passive FTP

Hi, have you tried a range of ports for fixup to inspect? Something like......

fixup protocol ftp 21-65535

I'm not sure if this will inspect all traffic leaving on those ports though.

Anyone else?

New Member

Re: Pix Firewall and passive FTP

No, I haven't tried the range of ports. Just 21. I'll do that and see what happens.

I have found out some other information. In going through my logs I have this:

8:08:02am %PIX-6-302001: Built outbound TCP connection xxxxxx for faddr a.b.c.d/80 gaddr

8:08:02am %PIX-5-304001: Accessed URL a.b.c.d:/

8:08:02am %PIX-6-302002: Teardown TCP connection xxxxx faddr a.b.c.d/80 gaddr

8:08:02am %PIX-5-106015: Deny TCP (no connection) from a.b.c.d/80 to flags PSH ACK

It looks like the PIX tears down the connection before I'm finished. Any reason why? Is there a timeout issue going on? This has been working for a few months now. I had to turn off our PIX's to move them to a new location, and then brought them back up. The contents of the memory were saved. I'm having the hardest time trying to figure this out.

New Member

Re: Pix Firewall and passive FTP

When you do the no ftp fixup ptotocol, you are disabling the ftp server to open the ftp data connection to the client to establish the data connections. If you want both port mode and passive mode to work at the same time. add an access list that specifically allow the ftp servers to open data connection from port 21 to the clients, good luck.

New Member

Re: Pix Firewall and passive FTP

Thank you very much for your response! That makes alot of sense. Would I also use a conduit command opening up the port back through the firewall, or would I just need an access-list? I have one access-list applied to my inside interface, and use conduit commands to come back through the firewall into my private network.

Thanks for the response!


CreatePlease login to create content