Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1655
Views
0
Helpful
3
Replies

PIX 501 - FTP Passive Mode

travis0
Level 1
Level 1

‎01-03-2006 09:43 AM - edited ‎02-21-2020 12:37 AM

Hello,

I just bought a new PIX501 to replace an existing linksys NAT box. Behind the NAT box, I run ServU ftp and it's is configured to run passive mode in port range 60000 to 60040. Now, i want to configure the PIX to take care of ftp passive mode, i got as far as the following commands.

access-list FTPonly permit tcp any object-group passive_mode interface outside o

bject-group passive_mode (object-group port range = 60000 - 60040)

static (inside,outside) tcp 444.333.222.1 60000 192.168.5.111 60000 netmask 25

5.255.255.255 0 0

static (inside,outside) tcp 444.333.222.1 60001 192.168.5.111 60001 netmask 25

5.255.255.255 0 0 (192.168.5.111 = ftp server)

.......up to port 60040 with static commands.

When i tried to use the PIX, ftp passive mode did not work. What do you think?

plus, is there a command to apply static on range of ports as supposed to single port.

Thanks,

Travis.

0 Helpful
3 Replies 3

turnbull
Level 1
Level 1

‎01-03-2006 04:12 PM

Hi Travis,

The PIX firewall is able to handle passive FTP connections through the 'fixup protocol ftp 21' command which is on by default. The PIX requires an access list and static for connection to the command port of 21 on the server and statics for each of the data ports 60000-60040 (unfortunately, there is no range command for port redirection statics on the 501). The PIX will create a dynamic ACE for the data port in use provided by the PASV response packet.

http://www.ciscopress.com/articles/article.asp?p=24685&rl=1

Cheers,

Paul.

0 Helpful

travis0
Level 1
Level 1
In response to turnbull

‎01-04-2006 01:32 PM

Hi Paul,

object-group service passive_mode tcp

port-object range 60000 60040

access-list FTPonly permit tcp any host 444.333.222.111 eq ftp

access-list FTPonly permit tcp any object-group passive_mode interface outside o

bject-group passive_mode

static (inside,outside) tcp 444.333.222.111 ftp 192.168.5.111 ftp netmask 255.25

5.255.255 0 0

static (inside,outside) tcp 444.333.222.111 60000 192.168.5.111 60000 netmask 255.

255.255.255 0 0

static (inside,outside) tcp 444.333.222.111 60001 192.168.5.111 60001 netmask 255.

255.255.255 0 0

static (inside,outside) tcp 444.333.222.111 60002 192.168.5.111 60002 netmask 25

....up to 60040 with static commands

access-group FTPonly in interface outside

will the above commands work? how do you write dynamic ACE?

Thanks,

Travis.

0 Helpful

kharris
Level 1
Level 1
In response to turnbull

‎01-04-2006 02:06 PM

Travis,

In addition to what Paul said, on ServU make sure all your options are checked including the specified PASV port range. In addtion, double check this link:

http://rhinosoft.com/KBArticle.asp?RefNo=1044∏=su

I have used a 515E in front of ServU before...however I did not have to specify static port maps for the PASV range since we had a Public IP just for the FTP server. A static internal/external IP translation took care of all ports destined for it. We only had to open up port 21 and a small range of passive ports in the ACL. I can't vouch for strictly using port mapping on the outside interface such as in your case.

If I re-covered any ground for you, I apologize...just going off your post.

Kyle

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card