Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
302
Views
0
Helpful
2
Replies

Browser FTP access through PIX 515

bsallison
Level 1
Level 1

‎09-28-2006 11:21 AM - edited ‎02-21-2020 01:12 AM

Looking for some help.

I have a PIX 515UR 6.3(2), behind which I have an FTP server running WS_FTP server. With the help of WS_FTP we enabled SFTP by setting up clear channel to open the FTP communication.

Two things I am struggling with and WS_FTP has said I need someone with extensive firewall knowledge to resolve. 1) Remote connections, have to set their FTP client software to use active state, because passive will not work.

2) This may feed off #1, but I would also like to be able to provide Internet Explorer browser based FTP access to my site as needed. We run into some clients that have no FTP client software and they are having to download trial copy of WS_FTP to get access to our server.

I understand I haven't been real specific with my questions, but any advice is appreciated, at which time I can get into deeper detail.

THANKS!

0 Helpful
2 Replies 2

Patrick Iseli
Level 7
Level 7

‎09-28-2006 11:38 AM

Matt wrote last a couple of days before:

SFTP is not supported through the PIX.

This is because with SFTP the whole exchange is encrypted. This means that the PIX can't inspect the communications on the control channel (PORT or PASV, specifically) that dictate what the data channel is going to be. Since the PIX can't see what the data channel is going to be, it can't open up a hole for the traffic to pass through. In this situation you will probably be able to connect to an SFTP server, but you won't be able to list directories or transfer files.

There may be a workaround, if your client supports it. Some programs (WS_FTP is one, I think), have an option to send the control channel traffic in the clear, while still encrypting the data channel. This will allow the PIX to anticipate the data channel and allow it, and still have SFTP protect your data.

Thanks,

Matt

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddc28cc/4#selected_message

sincerely

Patrick

0 Helpful

bsallison
Level 1
Level 1
In response to Patrick Iseli

‎09-28-2006 01:42 PM

Thank You Patrick,

I had read Matt's msg, and I have SFTP working by sending the control channel traffic in the clear.

Made I should clarify. Remote users have the option of connecting to my FTP server either with standard FTP or SFTP. My two question from original post relate to normail FTP traffic and allowing that in PASV mode which I think will then open up Internet Explorer to access my FTP server.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card