Solved

redirect ftp port at PIX506e

Posted on 2004-08-03
17
666 Views
Last Modified: 2013-11-16
Hi,
My company is using PIX firewall 506e, version 6.1. The network configuration is :
Internet-->ADSL router-->PIX-->webserver, ftp server, other pc in the network.

I'm trying to setup the ftp server (using win2k3 server's ftp server), this machine's internal ip address is 192.168.0.13.
currently our company only has 2 public ip address, 1 used by the adsl router, and 1 used by the pix. we don't have proper documentation from the vendor who installed the network and the system and now it's impossible to contact them.

here's the configuration file of the pix at the time being:
-------------------------------------------------------------------------------------------------------------------
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname mypix
domain-name company.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip any any
access-list 101 permit icmp any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xx1 255.255.255.252
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.0.10 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.0.10 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface domain 192.168.0.10 domain netmask 255.255.255.255 0 0
static (inside,outside) udp interface domain 192.168.0.10 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 143 192.168.0.10 143 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.0.10 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 22 192.168.0.10 22 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group 101 in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xx2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.0.9 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
-----------------------------------------------------------------------------------------------------------------
i had tried to add :
static (inside,outside) tcp interface ftp 192.168.0.13 ftp netmask 255.255.255.255 0 0
but the ftp is not working.

i tried to access the ftp server internally by typing ftp://ftp_host_name from a pc in the network, it ask me for a user name and after i supply the password everything's ok.
so i guess the problem lies in the Pix setting.

How to set the pix and later how would i access the ftp from outside? is it by the ip address?
please give me a step by step explanation as i am a newbie at this. thanksssssssssssssssss
0
Comment
Question by:patsu
  • 8
  • 8
17 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 11701620
Adding the following line as you have done should be all that is required.
static (inside,outside) tcp interface ftp 192.168.0.13 ftp netmask 255.255.255.255 0 0

From outside you will need to connect to the external IP address of the PIX which you have listed as xxx.xxx.xxx.xx1
If you have a DNS entry pointing to this IP address then you can use that instead.
0
 

Expert Comment

by:bluefile
ID: 11702472
Thanks for the reply
1)i had tried to open Internet Explorer and typed ftp://xxx.xxx.xxx.xx1 (from a PC inside the network) but i get error message: 'windows cannot open this folder, make sure u have typed the file name correctly or have the permission'

2) how to know that i have dns entry pointing to this ip address? as you can see in the Pix configuration, we also have a webserver. if i'm not wrong, the Pix also redirect http request to this particular webserver. we can access our website by using www.mycompany.com. does it mean from outside i can use ftp://mycompany.com?

3) after i did the configuration at the pix, i use write memory to save it to the flash memory. if i typed show config, i can see the new static command for the ftp there. this means that the command is inside right?
any other possible command that i need to add? how about the aaa ??
thankssss


0
 
LVL 36

Expert Comment

by:grblades
ID: 11702512
1) you will probably only be able to use  ftp://xxx.xxx.xxx.xx1 from outside the network. From inside you will have to use its intrnal IP address.

2) You will be able to use ftp://www.mycompany.com. Whoever manages your DNS will be able to setup ftp.mycompany.com if you would prefer to use that or any other address.

3) As soon as you entered the static command it should have started working. Writing to flash will ensure that after the PIX is remooted (power cut etc...) the new configuration will be loaded automatically. Normally the only extra thing you need to di is enable incoming ftp connection but you have already got everything enabled. There is nothing else you need to do.
0
 

Author Comment

by:patsu
ID: 11711772
1) u mean i can't test it from inside using the public ip address?

thanks..
0
 
LVL 36

Expert Comment

by:grblades
ID: 11712991
Yes thats correct. One limitation of the PIX is that it will not allow a packet to go in and out of the same interface.
This limitation means then when you access the Internet side IP address it effectivly is going to the internet interface of the PIX and it wont allow the packet to come back in again through NAT to the server.
I normally have a DNS server inside the company which for ftp.mycompany.com issues the internal address of the server so all users use ftp.mycompany.com and it works seamlessly wherever they are.
0
 

Author Comment

by:patsu
ID: 11713546
2) just to confirm, currently, outside users are able to access it by using ftp://www.mycompany.com and inside user using the host name or the internal ip address, and if i want to make them to use ftp://mycompany.com, i will need to set it in the DNS server?

4) how do i set it in the DNS server? where is the DNS server usually? is it in the web server machine?

just out of curiosity, i want to compare the use of VPN and FTP for my mobile colleague to access our file server from outside office.. do u know anything about this? i want to compare on the setup process and the security.. if u don't know, do u know where i should post this question?

thanks a lottttt... =)
0
 
LVL 36

Expert Comment

by:grblades
ID: 11713652
2) Yes if you want to make outside users use ftp://mycompany.com you will need to add it to the DNS. If you want internal users to be able to use the same URL you will need to setup a DNS server for all internal users to use.

4) It depends. Commonly the registrar you registered your domain with manages and hosts the DNS for you. They often have a web based admin interface to change the DNS values.

VPN access to the file server will be a lot more secure. The problem with ftp is that the username/password is not encrypted so if you go somewhere and access your server anyone on the network could sniff the network traffic and discover your username/password.
The Cisco VPN client is fairly easy to install and I use it myself.
0
 

Author Comment

by:patsu
ID: 11722747
Hi thanks for the answer..
1)So the disadvantage of using ftp in this case is just the username and password right?
2)Do you mind explaining what are the items I need to setup for the VPN? I will double the points for you at the end since it's 2 different topics now.. please explain step by step coz i have no idea of what to do..never used VPN before =)

a)our main office (where i am located) is using pix firewall 506E, what do i need to do at this site? like what setting/configuration for the pix and for the file server?
b)what do i need to do at the mobile laptop site for the users to access when they are out of office?
c)what do i need to do at our branch office overseas to access our file server? they should be using a LAN there as well. what hardware/network configuration should i ensure to be available there?

THANKS!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 36

Expert Comment

by:grblades
ID: 11723957
1) Yes basically. A VPN makes it look as if you are directly connected to the remote network via a router with all the data being encrypted. A VPN will slow down traffic by approx 10-15% because the VPN packets are larger.

2a)  Shown below is some configuration you can cut and paste into you PIX :)

!--- Implisically permit VPN users to access all internal machines.
!--- This command must be present.
sysopt connection permit-ipsec
!--- Define a transform set using DES encryption and MD5 authentication
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
!--- IPSEC applies to outside interface
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400

!--- Define a split-tunnel ACL so that all traffic to these addresses are sent across the VPN.
!--- All other traffic is sent across the Internet normally.
access-list splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any
!--- Define address pools for the vpn user groups
ip local pool staffpool 192.168.100.1-192.168.100.254
!--- Don't perform NAT between internal machines and VPN users
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl
!--- Staff group used by staff members to connect to LAN and transfer files.
vpngroup groupstaff address-pool staffpool
!--- We want staff to be able to access our intenal DNS and WINS server to resolve machine names
vpngroup groupstaff dns-server 192.168.0.whatever
vpngroup groupstaff wins-server 192.168.0.whatever
vpngroup groupstaff default-domain mydomain.com
vpngroup groupstaff split-tunnel splitTunnelAcl
!--- Use our internal DNS server for looking up our machines but let the client use its normal
!--- DNS server for other sites.
vpngroup groupstaff split-dns mydomain.com
vpngroup groupstaff idle-time 1800
vpngroup groupstaff password putyourpasswordhere

b) Just install the Cisco VPN client that came with the PIX 501 and configure it with the server, group name and password. All the users then need to do is connect and they can access your internal severs. My comfiguration above included split tunneling and split DNS so that users can access the internet at the same time as being connected to your network. You can turn this off if you want.

c) The best approach would be to get a PIX for the remote site and configure a fixed VPN between the two PIX firewalls. I haven't done this myself but there are lots of examples on the Cisco website here:-
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
0
 

Author Comment

by:patsu
ID: 11732449
hi.. thanks for your answer..however i'm away from office now and won't be back until sometime in next week(maybe wed/thurs).. so i'll give your solution a try by then..i hope u don't mind waiting..

in the mean time, i want to ask the followings..please bear with my question. i think they sounded stupid but i really have no idea regading this.. so i'll just shoot..
1) how to install the vpn client? i need to install it at the main office right?
2) how do users connect from outside?what do they need to set up at the mobile laptop?
0
 
LVL 36

Expert Comment

by:grblades
ID: 11733438
1) You just log into the notebook with someone with administrator rights on it and run the installation program.

2) They have to connect to the internet and then run the vpn client. The vpn client has to be configured where to connect to but you will set this up after you install it.
0
 

Author Comment

by:patsu
ID: 11733468
hi..
i now am unsure whether my pix has the vpn client included..coz i can't find the installation program. mine is pix506e and i've been going thru lots of documents about it but i still don't know whether the vpn client is included..
if not included, how can i get it? or is there any other way to connect besides vpn client?
0
 
LVL 36

Accepted Solution

by:
grblades earned 100 total points
ID: 11733546
If it does not come with it you can buy a media CD from Cisco.
0
 

Author Comment

by:patsu
ID: 11817731
hi..sorry for the delay..i can't do much with the solution now.. i'll just award you with the point first..thanks for your help!!
0
 

Author Comment

by:patsu
ID: 11817743
i have tried to increase the points.. but it still shows as 100 points..
0
 
LVL 36

Expert Comment

by:grblades
ID: 11818172
If you wish you can post a topic called 'Points for grblades' and post the URL to it here and then accept my answer when I reply to it.
This is the standard way of awarding extra points when you have a problem increasing them as you did.

Thanks
Gareth
0
 

Author Comment

by:patsu
ID: 11818259
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now