https://community.cisco.com/t5/network-security/pix-and-ftp/m-p/384237#M554747 <P>We have a PIX 525, running 5.0(2), in our network. For the as long as I can remember workstations behind the PIX were able to connect to FTP servers on the Internet using either active and passive FTP. We rebooted the PIX recently (which had been up for a very long time), and now workstations can only use active. </P><P></P><P>We have the fixup protocol ftp 21 in our configuration. If I change that to "no fixup...", then workstations can only use passive. Because we have some applications that require Passive and others that require active, I need to get it back to being able to do both at the same time. </P><P></P><P>We don't have any FTP servers behind the PIX so I not concerned about that. I'm puzzled why this is an issue. Because the connections originate behind the PIX, I would think this should not be an issue. I would the fixup protocol ftp 21 would only be an issue for incoming traffic. </P><P></P><P>Any and all assistance will be greatly appreciated. </P><P></P><P>Daris </P> Fri, 21 Feb 2020 07:45:15 GMT dbouthillier 2020-02-21T07:45:15Z https://community.cisco.com/t5/network-security/pix-and-ftp/m-p/384237#M554747 <P>We have a PIX 525, running 5.0(2), in our network. For the as long as I can remember workstations behind the PIX were able to connect to FTP servers on the Internet using either active and passive FTP. We rebooted the PIX recently (which had been up for a very long time), and now workstations can only use active. </P><P></P><P>We have the fixup protocol ftp 21 in our configuration. If I change that to "no fixup...", then workstations can only use passive. Because we have some applications that require Passive and others that require active, I need to get it back to being able to do both at the same time. </P><P></P><P>We don't have any FTP servers behind the PIX so I not concerned about that. I'm puzzled why this is an issue. Because the connections originate behind the PIX, I would think this should not be an issue. I would the fixup protocol ftp 21 would only be an issue for incoming traffic. </P><P></P><P>Any and all assistance will be greatly appreciated. </P><P></P><P>Daris </P> Fri, 21 Feb 2020 07:45:15 GMT https://community.cisco.com/t5/network-security/pix-and-ftp/m-p/384237#M554747 dbouthillier 2020-02-21T07:45:15Z https://community.cisco.com/t5/network-security/pix-and-ftp/m-p/384238#M554749 <HTML><HEAD></HEAD><BODY><P>I have not found any detailed description for the fixup protocol in the 5.0 Command reference, here is an explication of the 6.3 PIX OS Command Reference.</P><P></P><P>fixup protocol ftp</P><P></P><P>Use the fixup protocol ftp command to specify the listening port or ports for the File Transfer Protocol (FTP). The following list describes the features and usage of this command:</P><P></P><P>&#149;The PIX Firewall listens to port 21 for FTP by default.</P><P></P><P>&#149;Mutliple ports can be specified.</P><P></P><P>&#149;Only specify the port for the FTP control connection and not the data connection. The PIX Firewall stateful inspection will dynamically prepare the data connection as necessary. For example, the following is incorrect:</P><P></P><P>INCORRECT</P><P></P><P>fixup protocol ftp 21</P><P>fixup protocol ftp 20</P><P></P><P>and is the following is correct:</P><P></P><P>CORRECT = fixup protocol ftp 21</P><P></P><P>&#149;Use caution when moving FTP to a higher port. For example, if you set the FTP port to 2021 by entering fixup protocol ftp 2021 all connections that initiate to port 2021 will have their data payload interpreted as FTP commands.</P><P></P><P>The following is an example of a fixup protocol ftp command configuration that uses multiple FTP fixups:</P><P></P><P>: For a PIX Firewall with two interfaces</P><P>ip address outside 192.168.1.1 255.255.255.0</P><P>ip address inside 10.1.1.1 255.255.255.0</P><P></P><P>: There is an inside host 10.1.1.15 that will be exported as 192.168.1.15. This host runs the FTP services at port 21 and 1021</P><P>static (inside, outside) 192.168.1.15 10.1.1.15</P><P></P><P>: Construct an access list to permit inbound FTP traffic to port 21 and 1021</P><P>access-list outside permit tcp any host 192.168.1.15 eq ftp</P><P></P><P>access-list outside permit tcp any host 192.168.1.15 eq 1021</P><P>access-group outside in interface outside</P><P></P><P>: Specify that traffic to port 21 and 1021 are FTP traffic</P><P>fixup protocol ftp 21</P><P>fixup protocol ftp 1021</P><P></P><P>If you disable FTP fixups with the no fixup protocol ftp command, outbound users can start connections only in passive mode, and all inbound FTP is disabled.</P><P></P><P>The strict option in the fixup protocol ftp command performs two seperate functions:</P><P></P><P>&#149;The strict option prevents web browsers from sending embedded commands in FTP requests. Each FTP command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped.The strict option only lets an FTP server generate the 227 command and only lets an FTP client generate the PORT command. The 227 and PORT commands are checked to ensure they do not appear in an error string.</P><P></P><P>&#149;The strict option also prevents the PIX from opening up return connections based solely on the information sent in the PORT command. The strict option enables the PIX to make sure a successful reply is sent from the server in addition to the PORT command before opening the connection. If an error is seen, the PORT command is ignored by the PIX and the connection is never established. This keeps the PIX from opening data connections for communication that will never occur. </P><P></P><P>See:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094885.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094885.shtml</A></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1067379" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1067379</A></P><P> </P><P>sincerely</P><P>Patrick</P></BODY></HTML> Wed, 17 Nov 2004 18:31:02 GMT https://community.cisco.com/t5/network-security/pix-and-ftp/m-p/384238#M554749 Patrick Iseli 2004-11-17T18:31:02Z https://community.cisco.com/t5/network-security/pix-and-ftp/m-p/384239#M554750 <HTML><HEAD></HEAD><BODY><P>By the way might be a good idea to upgarde your software version !!</P><P></P><P>See:</P><P><A class="jive-link-custom" href="http://www.cisco.com/warp/public/110/upgrade.shtml" target="_blank">http://www.cisco.com/warp/public/110/upgrade.shtml</A></P><P></P><P>sincerely</P><P>Patrick</P></BODY></HTML> Wed, 17 Nov 2004 18:32:19 GMT https://community.cisco.com/t5/network-security/pix-and-ftp/m-p/384239#M554750 Patrick Iseli 2004-11-17T18:32:19Z https://community.cisco.com/t5/network-security/pix-and-ftp/m-p/384240#M554751 <HTML><HEAD></HEAD><BODY><P>Seems this was a bug in 5.0(2), fixed in 5.0(3). Certain other constraints were preventing an upgrade to 6.3. Looks like we will see if we can upgrade to 5.2(3) without breaking anything.</P></BODY></HTML> Wed, 17 Nov 2004 19:50:04 GMT https://community.cisco.com/t5/network-security/pix-and-ftp/m-p/384240#M554751 dbouthillier 2004-11-17T19:50:04Z https://community.cisco.com/t5/network-security/pix-and-ftp/m-p/384241#M554752 <HTML><HEAD></HEAD><BODY><P>The upgrade to 5.2(3) fixed this issue.</P></BODY></HTML> Mon, 22 Nov 2004 17:20:02 GMT https://community.cisco.com/t5/network-security/pix-and-ftp/m-p/384241#M554752 dbouthillier 2004-11-22T17:20:02Z