https://community.cisco.com/t5/network-security/secure-ftp-through-pix-firewall/m-p/207871#M605422 <P>We are trying to do Secure FTP to a server on port 21 through our PIX Firewall running 6.2(2). I have the "fixup protocol ftp 21" statement in the PIX. I can see the connection begin on port 21 but then I see the traffic getting blocked in my syslog. The traffic that is getting denied is between the workstation and the server both talking on high ports. I am wondering if the fixup cannot detect which high ports the conversation is moving to because the traffic is encrypted? Has anyone else worked with this or been able to get Secure FTP to work through the PIX?</P><P></P><P>Thanks,</P><P>Deanna</P> Fri, 21 Feb 2020 06:46:24 GMT Deanna 2020-02-21T06:46:24Z https://community.cisco.com/t5/network-security/secure-ftp-through-pix-firewall/m-p/207871#M605422 <P>We are trying to do Secure FTP to a server on port 21 through our PIX Firewall running 6.2(2). I have the "fixup protocol ftp 21" statement in the PIX. I can see the connection begin on port 21 but then I see the traffic getting blocked in my syslog. The traffic that is getting denied is between the workstation and the server both talking on high ports. I am wondering if the fixup cannot detect which high ports the conversation is moving to because the traffic is encrypted? Has anyone else worked with this or been able to get Secure FTP to work through the PIX?</P><P></P><P>Thanks,</P><P>Deanna</P> Fri, 21 Feb 2020 06:46:24 GMT https://community.cisco.com/t5/network-security/secure-ftp-through-pix-firewall/m-p/207871#M605422 Deanna 2020-02-21T06:46:24Z https://community.cisco.com/t5/network-security/secure-ftp-through-pix-firewall/m-p/207872#M605423 <HTML><HEAD></HEAD><BODY><P>Deanna,</P><P></P><P>You are correct in your thinking, the fixup cannot track the high port allocated by the PORT statement over the encrypted data channel.</P><P></P><P>I was reading yesterday the ftp fixup details for 6.3, there was no mention of support for any form of secure FTP. Even more confusing I see there are 2 types of secure FTP, one based on SSL, the other on SSH2.</P><P></P><P>Andy</P><P></P></BODY></HTML> Fri, 30 May 2003 13:14:14 GMT https://community.cisco.com/t5/network-security/secure-ftp-through-pix-firewall/m-p/207872#M605423 aacole 2003-05-30T13:14:14Z https://community.cisco.com/t5/network-security/secure-ftp-through-pix-firewall/m-p/207873#M605424 <HTML><HEAD></HEAD><BODY><P>Is there a passive option you can use with the Secure FTP?</P></BODY></HTML> Fri, 30 May 2003 14:20:51 GMT https://community.cisco.com/t5/network-security/secure-ftp-through-pix-firewall/m-p/207873#M605424 michaand 2003-05-30T14:20:51Z https://community.cisco.com/t5/network-security/secure-ftp-through-pix-firewall/m-p/207874#M605425 <HTML><HEAD></HEAD><BODY><P>I use SFTP via SSH / OpenSSH through the PIX (501 / 6.2(2) and 6.31) with no problems. </P><P></P><P>Also, if you allow it, other protocols can be tunneled as well. </P><P></P><P>Check out the info at OpenSSH.org, VanDyke.com (SecureCRT and other SSH applications), or F-Secure (fsecure.com, I think).</P><P></P><P>BTW: SSH will run everything through port TCP/22.</P><P></P><P>Good Luck</P><P>Scott</P><P></P></BODY></HTML> Fri, 30 May 2003 14:58:20 GMT https://community.cisco.com/t5/network-security/secure-ftp-through-pix-firewall/m-p/207874#M605425 scottmac 2003-05-30T14:58:20Z