PIX fixup direction

m.mohanasundaram · ‎08-24-2005

Hello all,

Does PIX "fixup protocol" command work in both directions? By directions, I mean, from inside to outside and from outside to inside. I know it works for inside to outside, but not sure if it works for outside to inside traffic as well.

To be more specific; if I have an FTP server on the inside and the client on the outside, will my "fixup protocol ftp 21" work when I try to connect from the outside client to the inside server? Will the PIX open up necessary ports for me to have a successful ftp connection?

Thanks in advance,

Mo

mehrdad · ‎08-24-2005

Hi,

yes, please see its manner in two scenarios for inbound traffic when a client wants to initiate ftp connection (passive/active) to a server from outside to inside:

- Standard FTP

1. if a access-list/conduit exists to allow ftp traffic from outbound to inbound (ftp server) and if outbound traffic explicitly allowed , there isn't any handeling because the data channel is open from server to client.

2. if a access-list/conduit exists to allow ftp traffic from outbound to inbound (ftp server) and if outbound traffic isn't explicitly allowed , then the PIX opens access to outbound temporary and it will closed after the ftp data is sent from server to client.

- Passive FTP

if a access-list/conduit exists allowing inbound FTP control connections to a Passive FTP server and the PIX opens a temporary inbound acl for the data channel initiated by the client.

in fact if ftp fixup is disabled then

- Inbound standard FTP will work properly if a access-list/conduit to the inside server exists.

- Inbound passive FTP will not work properly because the client should be initiate to server on a port that server specified for data channel.

Regards,

Mehrdad Arshad Rad