Using FTPS on a PIX

anthony.daramola · ‎10-06-2004

I'm running a PIX 501 from my primary office location running NAT. I'm trying to connect to a ConnectEnterprise Secure FTP destination. Because I have no previous experience configuring a PIX to work with a FTPS server, I was hoping for some help. Before, I couldn't even exchange SSL keys, but as soon as I removed "strict" from my FTP (21) fixup protocol I was allowed to. The problem then arose when my client did a automatic list command and I got a timeout. I noticed that my pix was dropping packets in the 3000 range. The ports of course were dynamic every time. The support guys of the FTPS server have no experience with the PIX and they told me to make sure I can do New Line Characters and FTP bidirectional. My knowledge is somewhat limited as well, so any help that you guys can provide would be greatly appreciated. See below part of my configuration file (minus the FTP Strict command that I think is important)

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname ironmike

domain-name createhope.com

clock timezone EST -5

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol ftp 21

Patrick Iseli · ‎10-06-2004

Have you tryed without the "fixup ftp"?

pix# enable

pix# conf t

pix# no fixup protocol ftp 21

To reenable it, recommended:

pix# fixup protocol ftp 21

This removes the ftp service command filtering but I am not sure if only this will help you.

Do you connect from the internet to a public IP?

Do you have an access-list on your outside interface?

Do you use port 21 and port 20 or another port?

Have you a static for NAT?

Do you use passive ftp?

What do you see on the pix as error messages.

Enable logging:

pix# conf t

pix# logg buff warnings

pix# logg on

pix# show logg

Some usefull links:

Poor or Intermittent FTP/HTTP Performance Through a PIX:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094459.shtml

Establishing Connectivity Through Cisco PIX Firewalls

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008009402f.shtml

Configuring the PIX Firewall

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008007da3e_4container_ccmigration_09186a00801e8646.html

sincerely

Patrick

anthony.daramola · ‎10-06-2004

I've also been in contact with Cisco Support. As it turns out, there is currently no official support with the current 6.x FOS. The best way to work around is to open up the FTPS port range 1024 - 5000 on the designated trusted IP. For the time being, that's sufficient enough for me, but if anybody else has a better idea, I'd very much love to hear it. Anyways, thanks for the help, very much appreciated.

m.kojder · ‎11-16-2004

That appears to be a problem with FTPs as I have found. PASV mode also fails.

A firewall is usually configured to deny inbound connections to an FTP server using any port other than port 21. Under PASV FTP, the firewall that protects the server needs to be able to see the un- encrypted response to the PASV command in order to allow inbound connectivity to the server on a dynamic port (i.e., ports other than 21).

This step fails when PASV mode is used because the FTP Control session is encrypted. The new inbound FTP Data connection will arrive at the firewall and will be denied because it cannot be "bound" to an existing FTP Control Session.

The only way I got it to work was to use the PIX 'established' command which can leave a pretty big hole in your firewall if you're not careful.