Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
228
Views
0
Helpful
1
Replies

PIX and FTP virtual hosts problem

Go to solution
cass.heide
Level 1
Level 1

‎10-25-2006 11:54 AM - edited ‎02-21-2020 01:16 AM

I have a Cisco PIX (version 6.3(3)) behind which I have all of my ISP clients. I have a web server outside the PIX hosting various web sites on one IP address (virtual hosts). People outside the PIX can FTP to the web server without any problem. People inside the PIX cannot. We didn't have this problem until I started using virtual hosts on the FTP server and assigning different FTP port numbers to each of the web sites. (We had only one site on the web server until a few days ago.) I'm assuming this is a PIX problem because that's the only difference between accessing the FTP server for my ISP clients and non-clients. So, my question is do I need to also open up the new FTP port numbers on my PIX? I have "fixup protocol ftp 21" already. Should I add similar statements for each of the new higher ports? I'm new to using a PIX; we didn't cover them in my CCNA and CCNP classes. Also, I can FTP to virtual hosts located on other ISPs servers, which doesn't make sense to me. Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jgervia_2
Level 1
Level 1

‎10-26-2006 04:36 PM

Hello,

I'm assuming by 'higher port numbers' that the new ftp servers are listening on ports other than the default port of 21. If that is the case, then you are exactly correct in saying you'll have to add more fixup commands.

The way active FTP works is that a control connection is established between the client and the server on tcp 21, and then they negotiate a port for data. The *server* then initiates a connection back to the client on that port.

Normally, this is not an issue for the pix, because it was watching the control connection on port 21 and figured out it needed to open a hole for the the connection on the new port, but if you are doing ftp on ports other than 21, you have to tell the pix to 'look' at that port as an ftp control connection so it can then open the firewall for the data connection.

You can check out the fixup here

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1067379

But the short of it is you need an access list entry for the new ftp port outbound (say it's 2525), and then to inspect it as if it's ftp, the 'fixup protocol ftp 2525' command

--Jason

Don't forget to rate if it helps.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
jgervia_2
Level 1
Level 1

‎10-26-2006 04:36 PM

Hello,

I'm assuming by 'higher port numbers' that the new ftp servers are listening on ports other than the default port of 21. If that is the case, then you are exactly correct in saying you'll have to add more fixup commands.

The way active FTP works is that a control connection is established between the client and the server on tcp 21, and then they negotiate a port for data. The *server* then initiates a connection back to the client on that port.

Normally, this is not an issue for the pix, because it was watching the control connection on port 21 and figured out it needed to open a hole for the the connection on the new port, but if you are doing ftp on ports other than 21, you have to tell the pix to 'look' at that port as an ftp control connection so it can then open the firewall for the data connection.

You can check out the fixup here

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1067379

But the short of it is you need an access list entry for the new ftp port outbound (say it's 2525), and then to inspect it as if it's ftp, the 'fixup protocol ftp 2525' command

--Jason

Don't forget to rate if it helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card