Extended Passive FTP support in FWSM 3.2

adamsutton75 · ‎01-25-2013

Hi,

We have an application being commissioned which requires extended passive FTP (EPSV) (RFC2428)

The application seems very unreliable when traversing our FWSM, though reliable when the client application is in the same DMZ as the FTP server. We can see no denials and on occassions the FTP does work, however we do see a number of "TCP Reset-I" showing and on reading into EPSV it seems if this is an issue or unsupported it can manifest itself without showing anything really in the firewall logs.

Can anyone confirm if EPSV is supported on FWSM software 3.2(2) which we are currently running, I had read that on PIX it was only supported on 7.0 and later, but have been unable to find where support came in on the FWSM.

We are planning to upgrade the software on the FWSM to the latest 4.1 software release and it would be good to know prior to the upgrade whether this issue may be resolved, or if the issue has nothing to do with the 3.2(2) softwares handling of EPSV.

Many thanks

Adam.

david.tran · ‎01-25-2013

For what it worth, I know personally that 8.0.4 running on my pix firewall works with EPSV. I tested EPSV using curl in linux that has the option to turn on/off epsv

I think EPSV was first supported by Cisco in Pix version 7.2(1): http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2039374

The only way you can see this with EPSV issue is to capture traffics with a sniffer, now I don't know how to do it on the FWSM but with Pix, I just span the port on the switch and see the traffics on my linux sniffer and that how I find out.

On another note, I don't understand why people running FWSM in their environment. I've worked with FWSM about five years and the products are very difficult to use, have a lot of limitations and most of all, very difficult to troubleshoot