Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Allow ports 21 & 1094 for FTP

Status
Not open for further replies.
TimV

TimV

IS-IT--Management
Mar 28, 2002
21
US
I presently use:

access-list fromoutside permit tcp any host xxx.xxx.xxx.46 eq ftp

for allowing ftp clients into my ftp server. That is fine until I use SSL which wants to use port 1094 in addition to port 21.

The FTP session appears to hang from outside the PIX501, but inside obviously works fine.

How do I allow the additional port? Can I combine ports on a single line, or do I need to add a separate line allowing 1094?

Thanks,

Tim
 
Sort by date Sort by votes
Just add the line...

access-list fromoutside permit tcp any host xxx.xxx.xxx.46 eq 1094 ----

Sunyasee B-)
 
Upvote 0 Downvote
HI.

I don't know if this can work because of the following reason:

FTP uses 2 sessions (2 different ports).
The pix inspects (fixup) the FTP commands to know which ports need bo be open as needed.
With SSL - The traffic is encrypted so the pix cannot inspect it even if you set the "fixup ftp" command with the port used.
So - maybe it will work (if the server initiates additional sessions and not the client) and maybe not.
If not - try to read more about ftp over ssl behind a firewall.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Yizhar,

It is true that the ftp session still fails.

This is what I have found about ftp ssl behind a firewall:

To connect to an FTP Server that supports SSL and has a NAT address you should use Port Mode on the client. In WS_FTP Pro you need to uncheck the Passive Mode option at the connection screen.

If the FTP Client is using a NAT address:

To connect to an FTP server that supports SSL when your client machine is using a NAT address you should use Passive Mode on the client. In WS_FTP Pro you need to check the Passive Mode option at the connection screen.

If the FTP Server and FTP Client use a NAT address:

When both machines are using a NAT address a data connection cannot be established because the information is being encrypted and the Firewall is unable to decrypt the information.

In most cases the solution will be either to move the ftp server outside of the firewall so that NAT is no longer being performed or to switch to a Firewall that does not perform NAT.

 
Upvote 0 Downvote
HI.

If it still does not work, you can try alternate solutions, like:

vpn.

https - with webdav or other solution to allow read and write access. This uses a single TCP connection on single port so it will probably work.

3rd party file transfer/sharing products, for example "ifolder" from novell.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
533
Johnkite
Johnkite
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
467
XLNTech1
XLNTech1
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
623
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
126
WhosYourDiffie
WhosYourDiffie
acabezas2014
  • Locked
  • Question
Configuring ASA for Network Segmentation
Replies
1
Views
220
acabezas2014
acabezas2014

Part and Inventory Search

Sponsor

Back
Top