topic Re: ftp through a pix in Network Security

ftp through a pix

pjosephs — Fri, 21 Feb 2020 06:13:21 GMT

I have configured a pix for ftp access to a dmz containing an AS400. Although all access lists and static are in place I keep getting a deny for the ftp-data port 20.

I seem to remember reading somewhere something about ftp via the pix causing issues with data transfer. Any ideas

Re: ftp through a pix

mtumarinson — Thu, 29 Aug 2002 16:15:05 GMT

Are you using AAA authentication and what version of pix software are you running?

Re: ftp through a pix

thong.do — Thu, 29 Aug 2002 19:12:35 GMT

Do you use NAT ? NAT might cause this problem .

Do you try to use fixup command yet?

Re: ftp through a pix

pjosephs — Thu, 29 Aug 2002 19:17:08 GMT

not using AAA and the version of software is 6.2 I've experienced this same problem on earlier versions

Re: ftp through a pix

martin.law — Fri, 30 Aug 2002 14:50:56 GMT

FTP is a wierd animal when it comes to Cisco ACL or PIX

Normally you would do:

access-list acl1 permit tcp any host FTPSERVER eq ftp

however to get it to work you need to change the order of the command so it looks like this:

access-list acl1 permit tcp any eq ftp host FTPSERVER

The same applies to SNMP and probably other things. A Cisco engineer tried to explain it to me but I don't think he understood it either. If anyone out there can explain then please - give it a go.

Re: ftp through a pix

gsatchivi — Fri, 30 Aug 2002 18:04:03 GMT

I don't know What your set up looks like but take this for example.

Your ftp server is on the dmz intf with ip 10.10.20.11

You have a network on the inside interface of your Pix. The net is 10.20.10.0 /24. You want everyone on that net to be able to use the ftp server.

Provided that all preliminary configs are working fine, here is what your config should look like.

configure an access-list that you will apply to nat (0) so that traffic between the two segments does not get natted.

access-list 100 permit ip 10.20.10.0 255.255.255.0 10.10.20.11 255.255.255.255

apply this to nat (0):

nat (inside) 0 access-list 100

Now you will configure a conduit to allow bi-directional communicatiion between the two segment:

conduit permit tcp 10.20.10.0 255.255.255.0 host 10.10.20.11 eq ftp

If communication is to be initiated from the lower security interface to the higher one, you need the conduit. In the case of ftp, the server will probably initiate communication from port 20 to the client on the inside intf. If there is no conduit line in the config, those packets will be dropped because by default you cannot initiate communication from a lower priority intf to a higher one. Sorry for being so long winded.

Re: ftp through a pix

gsatchivi — Fri, 30 Aug 2002 18:15:51 GMT

It's me again.

If all your clients are comming from outside or any intf with a lower security than the dmz, you still need a conduit command to allow the clients in.

in this case: conduit permit tcp host [the server's IP] eq ftp any

gilles

Re: ftp through a pix

sampathsr — Fri, 30 Aug 2002 20:22:05 GMT

I would go step by step:

1. Try to ftp from one of the machines in the DMZ interface itself.

2. Then configure the conduit statement to allow `any' to 'any' and try to ftp:

conduit permit tcp any any

3. Then configure to permit all ports to that particular IP :

conduit permit tcp host x.x.x.x any

4. Then configure to allow only ftp to that particular ip :

conduit permit tcp host x.x.x.x eq ftp any

5. Even though it is not needed for a PIX, try `conduit;ing ftp-data also (never needed to do this though!).

Best Rgds / Sampath

Sampathsr@hclcomnet.co.in