The File Transfer Protocol

File Transfer Protocol (FTP) enables two computers to upload and download data across a network. Although it has been around for a long time, as has Telnet and email, it is considered an advanced protocol because it operates a little differently in the way it uses ports.

FTP uses two main ports ”20 and 21. Port 21 is used for a control connection that is used to transmit commands to and from the FTP server. For example, as a user enters FTP commands, the commands are transmitted on port 21. When data must be downloaded, port 20 provides this basic function. FTP comes in two main modes: standard and passive.


If you want to prevent FTP traffic, you need to block only one port. By blocking port 21, you prevent FTP commands from being sent to the normal default FTP servers. Port 20 doesn't need to be blocked because, without the commands, data can't be transferred.

Standard Mode

FTP operates in a couple of modes. In standard mode, the FTP client and the server send commands across a command connection on port 21. In this command connection, the client requests to use a port for uploading or downloading. This request is embedded inside the data portion of a packet sent to the server. Because the ASA monitors source port and destination port headers, this request is missed by ASA. Additionally, as the server initiates the data connection back to the client, the firewall drops the packets because no connection slot is created for this traffic.

Figure 8.1 show a basic example of a client requesting traffic from an FTP server. In step 1 the client requests to use 3002 as its data port; in step 2 the server starts to make a connection to that port. No connection slot for port 3002 exists, so the packets are dropped.

Figure 8.1. Standard mode FTP.


Passive Mode

The second FTP mode is passive mode, which operates a little differently from standard mode. The command connection still exists using port 21 on the server. However, the data connection on the server doesn't have to use port 20. When data needs to be transmitted, the client requests asks the server which port it should use. Again, this request is embedded in the data portion of a packet within the command connection traffic. The server sends the port number it wants the client to use, and then the client initiates the data connection to the server. This is the exact opposite from standard mode, in which the server initiates the data connection.

Figure 8.2 is a basic example of passive mode FTP. In step 1 the client and server negotiate which server port will be used to transfer data; then in step 2 the client initiates the data connection to the server. Because the client makes this connection, the ASA creates a connection slot and has no problems allowing traffic to pass back and forth.

Figure 8.2. Passive mode FTP.



It is important that you understand the difference between standard and passive mode. A good way to remember the difference is as follows :

In standard mode the server calls the shots and initiates the data connection. This means clients on the inside have trouble connecting in standard mode.

In passive mode, the server is passive and the client initiates the data connections. This means that passive mode works very well for clients on the inside of the PIX firewall.

The fixup protocol ftp Command

With the possible problems of FTP data connections and the ASA dropping uninitiated traffic, the PIX has a fixup protocol option for FTP that compensates for the FTP traffic. This fixup monitors the embedded data portions of the command connection traffic. When embedded port requests are detected , the PIX dynamically creates connection slots for the necessary ports, allowing the uninitiated traffic to flow. The following is the syntax for the ftp command:

 pixfirewall(config)# fixup protocol ftp <port> [<strict>] 
Table 8.3. fixup protocol ftp Command Options




This is the port number to monitor for FTP traffic. Typically, this is port 21.


The strict option prevents any embedded FTP commands in HTTP connections. By default, this is allowed.

The following is the command to enable the FTP fixup protocol:

 pixfirewall(config)# fixup protocol ftp 21 

CSPFA Exam Cram 2 (Exam 642-521)
CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)
ISBN: 0789730235
EAN: 2147483647
Year: 2003
Pages: 218 © 2008-2017.
If you may any questions please contact us: