Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
255
Views
0
Helpful
1
Replies

Help needed configuring PIX 501 with FTP server and SSL

robert-murray
Level 1
Level 1

‎07-31-2004 11:10 AM - edited ‎02-20-2020 11:32 PM

I'm wonderng if anyone can help with this problem.

I have my PIX configured beautifully.

It runs my FTP file server with PASV connections.

But when I set the server to allow SSL connections only - the clients (cute ftp/flash ftp etc) trying to connect fails!

Interestingly - when I set the server to accept normal and SSL connections. The client initally connects using a normal (un-SSL) connection, then once authentication is confirmed the server then transfers the files using SSL encryption.

This type of connection is considered to be a Explicit SSL connection.

What i'm after is an Implicit connection.

What's the difference? Well when a client connections using an Implicit connection the initial connection and subsequent file transfer are all encrypted.

The real problem I have is that when I set my server to accept only Implicit SSL connections as I want 100% encrpytion - the PIX doesn't seem to be able to make the connection.

I have been wondering if it is because of the NAT routing system that I have set up for my SOHO network?

The reason I say that is because if an encrpyted message (username/password) arrives at the PIX - the PIX cannot understand it! If the PIX cannot understand it - then the PIX does not know where to send it to be read (i.e. the FTP file server on the internal network)

My problem is when I set the server to allow normal and SSL connections (server = Serv-U) I am unable to force people to use an encrpyted connection. They can still connect using a normal connection. Which is why I would like to be able to force users to connect wth an encrypted connection.

If it's not possible to do this with the PIX - I would also be interested in anyone who has found a way around this. Maybe by utilising SSH connections etc.

Any thoughts?

0 Helpful
1 Reply 1

nkhawaja
Cisco Employee
Cisco Employee

‎07-31-2004 11:46 AM

Hi,

You already gave answer to your question, that PIX can't understand the encrypted connection. Ofcourse neither PIX , nor any other device or firewall in between the client and server can understand encrypted traffic, otherwise would not it fail the whole concept of encryption.

No, i dont think it is because of the NAT. It is because PIX is not able to learn the dynamic ports to be opened for the connection.

This is just my thought! May be there are some workarounds. But i doubt!

Thanks

Nadeem

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card