If I define a rule in CSPM to allow passive FTP it creates a rule allowing port 21 and ports 49152 -> 65535. Does anyone know if it possible to change the range of high ports? Even though I can create new services (e.g. MYFTPPassive with a range 1024 -> 65535) I can not associate this with the FTP application. Does this mean that the fixup won't be applied?
Fixup is actually only done on the control port 21. When cbac/pix notices the traffic, it watches for the return port and allows the traffic. I would think that could be anything >1024. Probably worth running by a Cisco engineer.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.