Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ftp ports from outside to inside 2

Status
Not open for further replies.
yowza

yowza

Technical User
Nov 28, 2001
121
US

What is the best way to handle allowing ftp access from the outside to a server behind the Pix? I wanted to ftp a file to a server behind the Pix so I created the ACL on the outside interface and was able to log into the server. When I went to get the file, the connection timed out. So I tried it again. When I looked at the logs, I noticed it was trying to send the data via port 1130 the first time and 1131 the second time. So I created another ACL for 1132 and was able to get the file. As you can see, I don't know too much about ftp protocol or the pix for that matter:)) It seems to me that if you wanted to allow ftp access from the outside to inside you would need to set up some sort of range of ports. I didn't think having a range of unnecessary ports open on the Pix would be a good thing to do.
I would appreciate any explanation, url, article or any other explanation on this. I have spent a couple of hours searching the net for info but haven't really found a good answer.

Thanks,
yowza
 
Sort by date Sort by votes
HI.

You are probably using non-standard port for FTP.
If you are using for example port 21212 for FTP, then you'll need this:
access-list ....
fixup protocol ftp 21212

The fixup command instructs the pix to inspect the traffic on that port for FTP commands and open additional ports as needed - on the fly.

It is also a good idea to protect the FTP access by allowing access only from specific known IP address, or VPN or...
You should also carefully configure permissions on the FTP server and use read-only whenever possible.
An open FTP server is like Open mail relay - it might be used for Warrez or attacks, and hidding it with different port is good idea but is not sufficient protection.


Yizhar Hurwitz
 
Upvote 0 Downvote
Thanks for the responses. I created ACLs for ports 20 and 21. This is not for a ftp server. I just needed to use it to transfer a few large files. It was only a one time thing. I was going from a W2000 box to a unix, Sun Solaris 8 box.

Thanks again, I appreciate the info.

Yowza
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
775
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
642
Johnkite
Johnkite
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
248
hairlessupportmonkey
hairlessupportmonkey
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
167
kythri
kythri
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
578
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top