FTP server behind PIX firewall 1

[ovs8]

HI there,

I'm planning to setup a Windows 2000 IIS FTP server. We're using IPsec/GRE VPN between our 3 offices with PIX501 and CISCO 1600s.

I can't configure a DMZ zone with our PIX501. So, how do I go about configuring a passive FTP server here, aside from buying a higher PIX model?

If I put this server behind the firewall, which ports do I need to open in addition to the FTP 21?

Thanks a lot,
oleg

 

[dx1]

Port 21 should be fine. Fixup protocol ftp should be on by default.

 

[ovs8]

What if I wanted to change the port number 21 to something else for security reasons? I tried that, opening the port number 55555 on our PIX and designating it on FTP server. But clients could not access it, while port 21 worked fine.

We anticipate to have just a few FTP clients, so different port number (other than 21) shouldn't be a problem from the clients' view point.

Thank you,
oleg

 

[chicocouk]

You'll require the following in your config;

fixup protocol ftp 5555

Tells the pix to expect ftp traffic on that port, so that when secondary ports are negotiated for the data transfer (depending on whether you're using active or passive ftp), the pix recognises this as part of the ftp process, and not an external attempt to breach security on the pix.

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP