Re: Passive FTP through PIX 515e ver 7

troyboswell · ‎11-22-2005

On the PIX I have "ftp mode passive" & "inspect ftp" enabled. I also have an OUTSIDE ACL rules allowing access to the ftp-server which eq ftp & ftp-data. In my efforts to get passive ftp working, I also have a DMZ ACL rule allowing the ftp-server access out which eq ftp & ftp-data (most probably not needed). When I watch the connection logs on my ftp client it does not make a passive connection, I watch the connection being established through the ASDM log entries on the PIX and I can see the session being set-up for what appears to be active ftp only (ports 20&21), I cannot see any high ports being connected either on the PIX or on the connection log of the ftp client. Is there anything more that has to be enabled on the PIX to help establish passive ftp, or should I be looking at the ftp-server? Not sure?

nkhawaja · ‎11-23-2005

may be the FTP server is set like that. or perhaps you try removing the ip inspect ftp and see what is the difference

troyboswell · ‎11-23-2005

I have tried removing "inspect ftp" and other settings that I believe relate to ftp but that has made no difference.

This is basically what I have set on PIX wrt ftp:

ftp mode passive

access-list DMZ extended permit tcp object-group x.x.x.x any eq ftp

access-list DMZ extended permit tcp object-group x.x.x.x any eq ftp-data

(this dmz acl is probably not required)

access-list OUTSIDE extended permit tcp any object-group x.x.x.x eq ftp

access-list OUTSIDE extended permit tcp any object-group x.x.x.x eq ftp-data

inspect ftp

class-map FTP-DATA

match port tcp eq ftp-data

class FTP-DATA

police 1000000 1500000

Is there anyway of seeing if the PIX is blocking the highports?

nkhawaja · ‎11-23-2005

simply turn on logging and do "show log", log will capture if anything is denied.

thanks

Nadeem

em6557 · ‎12-15-2005

add entry to outbound acl

access-list xxxxx permit tcp any any gt 1024