topic Question about passive ftp trough the pix in Network Security

Question about passive ftp trough the pix

jenseike — Fri, 21 Feb 2020 08:23:09 GMT

I have a ftp-server on the inside of a pix 515 that are giving services to the public clients on the outside. My goal is to only open up for passive ftp (active-ftp should not be allowed) I have tried sevral things, but they all seems to also open up for active-ftp.. Can sombody please let me know what exactly to do to only allow for passive-ftp on the pix. I have no edge routers on the outside of the pix, so all config need to be done on hte firewall.

Thanks in advanvce

Re: Question about passive ftp trough the pix

mehrdad — Sun, 11 Sep 2005 07:14:39 GMT

as you know in the active ftp mode the server uses tcp port number 20 for data channel and it initiates this channel to client so you should deny any packets from the ftp server which has source tcp port 20 then users have to connect to inside ftp server from outside through passive mode.

Re: Question about passive ftp trough the pix

jenseike — Sun, 11 Sep 2005 07:27:23 GMT

Hi..

As you surly know the pix are stopping all traffic by default from outside to inside. When I allow only port 21 from the ftp-server as this :

STATIC (INSIDE, OUTSIDE) NETMASK 255.255.255.255

ACCESS-LIST OUT-IN PERMIT TCP EQ 21

ACCESS-GROUP OUT-IN IN INTERFACE OUTSIDE

You would think that this would stop active ftp, but it still seems to work, so what other config do I need to do on the pix to achive only passive.

I would also appreaciate that configs was shown to me also..

I know the basic of active and passive ftp, so that is no problem, I just need to know how to do this in practice..

Re: Question about passive ftp trough the pix

mehrdad — Sun, 11 Sep 2005 07:45:27 GMT

pls check this out as well:

ACCESS-LIST IN-IN DENY TCP EQ 20

ACCESS-GROUP IN-IN IN INTERFACE INSIDE

Re: Question about passive ftp trough the pix

jenseike — Sun, 11 Sep 2005 08:20:06 GMT

Hi again

I dont realy think that this will enhance the security, because the source port does not really matter. All what really mater is securing the inside destination "server" ports. You dont want to allow the client to access resources on TCP ports 1-1023 except 21.

So what can we do to stop active ftp-request to the server ports? I dont think that this will be solved with only using acl stopping things, but that we need something more

Re: Question about passive ftp trough the pix

mehrdad — Sun, 11 Sep 2005 08:33:58 GMT

Sniffer Trace Illustrating standard (or Active) Mode FTP :

http://www.ciscopress.com/content/images/chap9_1587050358/elementLinks/09fig01.gif

#Setup connection to destination port 21 for control channel

[10.10.2.51] [198.133.219.27] TCP: D=21 S=1065 SYN SEQ=1763920874 LEN=0

[198.133.219.27] [10.10.2.51] TCP: D=1065 S=21 SYN ACK=1763920875 SEQ=2208726475 LEN=0

[10.10.2.51] [198.133.219.27] TCP: D=21 S=1065 ACK=2208726476

#FTP server negotiates FTP-DATA channel with TCP source port 20

[10.10.2.51] [198.133.219.27] FTP: C PORT=1065 LIST

[198.133.219.27] [10.10.2.51] TCP: D=1066 S=20 SYN SEQ=2209373687 LEN=0

[10.10.2.51] [198.133.219.27] TCP: D=20 S=1066 SYN ACK=2209373688 SEQ=1765279364 LEN=0

[198.133.219.27] [10.10.2.51] TCP: D=1065 S=21 ACK=1763920967

[198.133.219.27] [10.10.2.51] TCP: D=1066 S=20 ACK=1765279365

[198.133.219.27] [10.10.2.51] FTP: R PORT=1065 150 ASCII mode data connection for /bin/ls.

[198.133.219.27] [10.10.2.51] FTP: R PORT=1066 Text Data

http://www.ciscopress.com/articles/article.asp?p=24685

Re: Question about passive ftp trough the pix

jenseike — Sun, 11 Sep 2005 08:46:25 GMT

Yes, and...??+

Re: Question about passive ftp trough the pix

mehrdad — Sun, 11 Sep 2005 09:00:09 GMT

look at the link (picture) which i wrote to my last post so if you deny any packets with source port tcp #20 from server to client or if you deny any packets with destination port tcp #20 from client to server then the active/standard ftp will be disabled for those clients.

note in active mode ftp server initiates a data channel from itself (initiate from inside) with tcp port #20 to client (client listen to specify port)

Re: Question about passive ftp trough the pix

jenseike — Sun, 11 Sep 2005 09:32:49 GMT

Ok... I will try to test with denying the server respond from port 20 and see if it works, if there are any other suggestion that will also gladly be appreachiated..

Thanks for your responses

Re: Question about passive ftp trough the pix

pwicks — Sun, 11 Sep 2005 21:20:50 GMT

Do you have the FTP fixup enabled on port 21? According to the Cisco Secure Pix Firewall Advance (CSPFA Second Edition) study guide, if the "fixup protocol ftp" command is not enabled, inbound standard FTP works (with a properly configured conduit or ACL) and passive FTP does not work properly.

Standard mode FTP will also work if you allow all traffic from the Inside or DMZ networks out through the Pix if the Inside or DMZ segments do not have access lists on them. See the link below for a short primer on FTP and the Pix. It should have the information on the page that will help you resolve your issue.

http://www.ciscopress.com/articles/article.asp?p=24685&rl=1

Re: Question about passive ftp trough the pix

jenseike — Mon, 12 Sep 2005 03:13:54 GMT

Well, I my question was how to enable passive ftp from clients from outside to inside ftp server. I know whery well how the fixup command works, and I know whery well how ftp works. I was wondering what the trick was to get passive ftp working on with the pix without also enabling active.

Re: Question about passive ftp trough the pix

jenseike — Mon, 12 Sep 2005 17:11:20 GMT

Hey man...

I tested your solution and it did not work... FTP was nto able to open data channel in to the server..

If i open high port over 1023 it was able to find the data channel inn, so to me it looks like the fixup protocol dont work from outside..

Any more suggestion would be appreaciated..