Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
842
Views
0
Helpful
2
Replies

FTP through PIX

ohnnyj
Level 1
Level 1

‎12-26-2006 03:54 PM - edited ‎03-11-2019 02:12 AM

Hello all:

I am in the initial stages of setting up an FTP server in our network which will need to be accessible from the outside and through our PIX. Is there any tutorial or article that anyone knows about which could guide me through the PIX portion of it to ensure it has the right settings to allow connections through and data to be sent back to clients.

Thanks,

John

Labels:
0 Helpful
2 Replies 2

a.kiprawih
Level 7
Level 7

‎12-26-2006 05:29 PM

The common way to allow outsider/internet users to access your FTP server is via this method:

1. Map your internal FTP Server to a dedicated Public IP Address to enable internet users to access your FTP server.

You can either use dedicated public IP (preferred), or use PIX Outside interface IP with port re-direction.

2. Configure/add access-list (ACL) on the PIX Outside interface allowing any or specific external IP to access to your FTP server via its Public IP. T

Example:

Internal FTP Server IP: 10.10.10.10

Public IP: 192.168.100.10

a. Mapping internal FTP Server on Inside segment (same if it's in DMZ)

static (inside, outside) 192.168.100.10 10.10.10.10 netmask 255.255.255.255

b. Create/add ACL & bind to Outside interface

access-list outside-access_in permit icmp any host 192.168.100.10 --> allow PING to test FTPsvr reachability. Remove after the test.

access-list outside-access_in permit tcp any host 192.168.100.10 eq 21

access-list outside-access_in deny ip any any

access-group outside-access_in in interface outside--> bind ACL to Outside interface

* Make sure your PIX set the default route correctly to the Internet router

The return traffic back to clients normally has no issue with PIX as it'll keep the connection/session status in its state table.

You can test the reachability/connectivity between client and server using the above ping (ICMP) test.

PIX's doc on allowing inbound connection:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278e.html#wp1069973

HTH

AK

0 Helpful

scheikhnajib
Level 1
Level 1
In response to a.kiprawih

‎12-27-2006 08:15 AM

Matee,

I would add one note to this:

Make sure that application inspection is enabled for FTP.

The command will be: "fixup protocol ftp 21" if you are using PIX OS 6.X.X (http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1067379) and will be "inspect ftp" if you are using PIX OS 7.X.X (http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a008063f0e8.html#wp1664935).

This will be needed to make sure that your PIX will allow both Active and passive FTP.

Hope this helps.

Cheers.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card