|
FIXUP actually has nothing to do with NAT ... it
deals with packet inspection of the data stream.
Unfortunately most businesses require NAT, which
even IPSEC is now capable of working through. HTTPS works through it. I don't
understand why FTPS can't.
BTW, putting a server outside the firewall that
will contain data sensitive enough to require FTPS is not only nuts, it would
violate the best practice and DITSCAP/DISA/HIPPA security policies that are
requiring FTPS to begin with.
Norris Carden
Rasquel Communications LLC
----- Original Message -----
Sent: Tuesday, March 30, 2004 9:29
AM
Subject: RE: [WS_FTP Forum] FTPS through
PIX
Archive available at:
Are
you using NAT on both ends or just one? NAT on both ends of the
connection along with SSL rarely seems to work. Since you say you are
using NOFIXUP it sounds like you're using NAT. Because the connection is
encrypted the PIX can not see the data within the FTP packets and often throws
them out as invalid. Put the WS_FTP Server on the outside of your
firewall (or don't NAT it). If you have to use a PIX on the servers side
of the connection, don't define the service as FTP within the PIX, just define
conduits for the required ports 21 & (in your case) 2000 -
2010. Typical recommendation is to use port ranges 1024 to 5000,
not just 2000 to 2010.
Pete
Hi, I need help getting FTP/SSL working from a
WS_FTP Pro client to a WS_FTP Server through a Cisco PIX. The advice
from IPSWITCH and Cisco tech support is apparently incomplete.
Passive and direct connections via clear ftp
work, but error 504 occurs after accepting the certificate and negotiating
the encryption key.
I already have NO FIXUP on the ftp protocol on
port 21 and passive is set to use ports 2000-2010 with port forwarding for
those ports on the firewall enabled.
Has anyone documented how to get this to work with a PIX?
Is there an archive to this list somewhere?
Thanks,
Norris Carden
Rasquel Communications LLC
[ CONFIDENTIALITY NOTICE
]
| 