|
Question : FTPs and Passive FTP not working behind Cisco PIX 515E
|
|
I am trying to setup Serv-U Corporate Edition for FTP over SSL behind a Cisco PIX 515E Firewall and I am running into some problems.
First off, I cannot get passive FTP to work (non-SSL). This is an ongoing problem that exists regardless of what FTP server I have used. I have tried opening a specific port range on the firewall and configuring that same range inside of Serv-U and it does not work. Secondly I cannot get FTP over SSL to work even using the standard (non-passive) mode.
I cannot post my entire firewall config for security reasons however I can say that I have the following key lines in place:
fixup protocol ftp 21
...
access-list servers permit tcp any host OUTSIDE_IP_ADDRESS eq ftp
...
static (inside,outside) OUTSIDE_IP_ADDRESS INSIDE_IP_ADDRESS netmask 255.255.255.255 0 0
We are running PIX Version 6.3(5)
Any insight you can give would be greatly appreciated.
Thanks,
Jeff
|
Answer : FTPs and Passive FTP not working behind Cisco PIX 515E
|
|
Whoops... re-read that, you want PASV access..
Passive ftp out you need 21 in and >1024 out typically. As you've said, you don't want all of those open, so:
1) Configuring ftp server with a pool of tcp ports that the server
uses for passive (PASV) ftp, somthing like range 5000 to 5999 (1000 ports)
2) Create acl for inbound traffic at the outside interface:
ip access-list extended inbound_traffic_in
permit any host my_FTP_Server_IP eq ftp
permit any host my_FTP_Server_IP range 5000 5999
3) Apply this acl to your outside interface, for incoming traffic
(access-group command)
|
|
|
|
|
