Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
0
Helpful
4
Replies

PIX and FTP

dbouthillier
Level 1
Level 1

‎11-17-2004 10:21 AM - edited ‎02-20-2020 11:45 PM

We have a PIX 525, running 5.0(2), in our network. For the as long as I can remember workstations behind the PIX were able to connect to FTP servers on the Internet using either active and passive FTP. We rebooted the PIX recently (which had been up for a very long time), and now workstations can only use active.

We have the fixup protocol ftp 21 in our configuration. If I change that to "no fixup...", then workstations can only use passive. Because we have some applications that require Passive and others that require active, I need to get it back to being able to do both at the same time.

We don't have any FTP servers behind the PIX so I not concerned about that. I'm puzzled why this is an issue. Because the connections originate behind the PIX, I would think this should not be an issue. I would the fixup protocol ftp 21 would only be an issue for incoming traffic.

Any and all assistance will be greatly appreciated.

Daris

0 Helpful
4 Replies 4

Patrick Iseli
Level 7
Level 7

‎11-17-2004 10:31 AM

I have not found any detailed description for the fixup protocol in the 5.0 Command reference, here is an explication of the 6.3 PIX OS Command Reference.

fixup protocol ftp

Use the fixup protocol ftp command to specify the listening port or ports for the File Transfer Protocol (FTP). The following list describes the features and usage of this command:

•The PIX Firewall listens to port 21 for FTP by default.

•Mutliple ports can be specified.

•Only specify the port for the FTP control connection and not the data connection. The PIX Firewall stateful inspection will dynamically prepare the data connection as necessary. For example, the following is incorrect:

INCORRECT

fixup protocol ftp 21

fixup protocol ftp 20

and is the following is correct:

CORRECT = fixup protocol ftp 21

•Use caution when moving FTP to a higher port. For example, if you set the FTP port to 2021 by entering fixup protocol ftp 2021 all connections that initiate to port 2021 will have their data payload interpreted as FTP commands.

The following is an example of a fixup protocol ftp command configuration that uses multiple FTP fixups:

: For a PIX Firewall with two interfaces

ip address outside 192.168.1.1 255.255.255.0

ip address inside 10.1.1.1 255.255.255.0

: There is an inside host 10.1.1.15 that will be exported as 192.168.1.15. This host runs the FTP services at port 21 and 1021

static (inside, outside) 192.168.1.15 10.1.1.15

: Construct an access list to permit inbound FTP traffic to port 21 and 1021

access-list outside permit tcp any host 192.168.1.15 eq ftp

access-list outside permit tcp any host 192.168.1.15 eq 1021

access-group outside in interface outside

: Specify that traffic to port 21 and 1021 are FTP traffic

fixup protocol ftp 21

fixup protocol ftp 1021

If you disable FTP fixups with the no fixup protocol ftp command, outbound users can start connections only in passive mode, and all inbound FTP is disabled.

The strict option in the fixup protocol ftp command performs two seperate functions:

•The strict option prevents web browsers from sending embedded commands in FTP requests. Each FTP command must be acknowledged before a new command is allowed. Connections sending embedded commands are dropped.The strict option only lets an FTP server generate the 227 command and only lets an FTP client generate the PORT command. The 227 and PORT commands are checked to ensure they do not appear in an error string.

•The strict option also prevents the PIX from opening up return connections based solely on the information sent in the PORT command. The strict option enables the PIX to make sure a successful reply is sent from the server in addition to the PORT command before opening the connection. If an error is seen, the PORT command is ignored by the PIX and the connection is never established. This keeps the PIX from opening data connections for communication that will never occur.

See:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094885.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1067379

sincerely

Patrick

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to Patrick Iseli

‎11-17-2004 10:32 AM

By the way might be a good idea to upgarde your software version !!

See:

http://www.cisco.com/warp/public/110/upgrade.shtml

sincerely

Patrick

0 Helpful

dbouthillier
Level 1
Level 1
In response to Patrick Iseli

‎11-17-2004 11:50 AM

Seems this was a bug in 5.0(2), fixed in 5.0(3). Certain other constraints were preventing an upgrade to 6.3. Looks like we will see if we can upgrade to 5.2(3) without breaking anything.

0 Helpful

dbouthillier
Level 1
Level 1
In response to dbouthillier

‎11-22-2004 09:20 AM

The upgrade to 5.2(3) fixed this issue.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card