FTP on PIX

[gmandg]

I have a customer that's suggesting we are not allowing encrypted traffic on port 21 for FTP traffic. Is there a way to check and/or confirgure this?

This if for a PIX 515 Firewall Version 6.0(1)4:1344.

Thanks!

 

[Supergrrover]

The PIX has a problem with ftp over ssl. The pix does a fixup on the IP and port to allow the traffic through NAT/PAT. With ftp over ssl, the data channel is encrypted (including the TCP/IP headers) so the PIX can't read what's inside and can't do the fixup. The connection is basically trying to get to the internal IP address/negotioated port of the FTP server, not the public IP/translated port that the PIX will change as it passes through.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[voltron1011]

Doesn't it have to do with what mode fixup protocol is?

 

[Supergrrover]

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q13

And in the first note:

http://www.cisco.com/en/US/products...s_configuration_example09186a00800a5fe4.shtml

Ipswitch also published this

http://support.ipswitch.com/kb/WS-20020829-DM02.htm

You can disable the ftp fixup, but then either passive or active ftp will fail (I forget which off the top of my head.). I suppose you could make some NAT exemption, but I haven't seen anything work yet.


Brent
Systems Engineer / Consultant
CCNP, CCSP