redirect ftp port at PIX506e

Posted on 2004-08-03
Medium Priority
Last Modified: 2013-11-16
My company is using PIX firewall 506e, version 6.1. The network configuration is :
Internet-->ADSL router-->PIX-->webserver, ftp server, other pc in the network.

I'm trying to setup the ftp server (using win2k3 server's ftp server), this machine's internal ip address is
currently our company only has 2 public ip address, 1 used by the adsl router, and 1 used by the pix. we don't have proper documentation from the vendor who installed the network and the system and now it's impossible to contact them.

here's the configuration file of the pix at the time being:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname mypix
domain-name company.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
access-list 101 permit ip any any
access-list 101 permit icmp any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xx1
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0 0
static (inside,outside) tcp interface smtp smtp netmask 0 0
static (inside,outside) tcp interface pop3 pop3 netmask 0 0
static (inside,outside) tcp interface domain domain netmask 0 0
static (inside,outside) udp interface domain domain netmask 0 0
static (inside,outside) tcp interface 143 143 netmask 0 0
static (inside,outside) tcp interface www www netmask 0 0
static (inside,outside) tcp interface 22 22 netmask 0 0
access-group 101 in interface outside
access-group 101 in interface inside
route outside xxx.xxx.xxx.xx2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
i had tried to add :
static (inside,outside) tcp interface ftp ftp netmask 0 0
but the ftp is not working.

i tried to access the ftp server internally by typing ftp://ftp_host_name from a pc in the network, it ask me for a user name and after i supply the password everything's ok.
so i guess the problem lies in the Pix setting.

How to set the pix and later how would i access the ftp from outside? is it by the ip address?
please give me a step by step explanation as i am a newbie at this. thanksssssssssssssssss
Question by:patsu
  • 8
  • 8
LVL 36

Expert Comment

ID: 11701620
Adding the following line as you have done should be all that is required.
static (inside,outside) tcp interface ftp ftp netmask 0 0

From outside you will need to connect to the external IP address of the PIX which you have listed as xxx.xxx.xxx.xx1
If you have a DNS entry pointing to this IP address then you can use that instead.

Expert Comment

ID: 11702472
Thanks for the reply
1)i had tried to open Internet Explorer and typed ftp://xxx.xxx.xxx.xx1 (from a PC inside the network) but i get error message: 'windows cannot open this folder, make sure u have typed the file name correctly or have the permission'

2) how to know that i have dns entry pointing to this ip address? as you can see in the Pix configuration, we also have a webserver. if i'm not wrong, the Pix also redirect http request to this particular webserver. we can access our website by using www.mycompany.com. does it mean from outside i can use ftp://mycompany.com?

3) after i did the configuration at the pix, i use write memory to save it to the flash memory. if i typed show config, i can see the new static command for the ftp there. this means that the command is inside right?
any other possible command that i need to add? how about the aaa ??

LVL 36

Expert Comment

ID: 11702512
1) you will probably only be able to use  ftp://xxx.xxx.xxx.xx1 from outside the network. From inside you will have to use its intrnal IP address.

2) You will be able to use ftp://www.mycompany.com. Whoever manages your DNS will be able to setup ftp.mycompany.com if you would prefer to use that or any other address.

3) As soon as you entered the static command it should have started working. Writing to flash will ensure that after the PIX is remooted (power cut etc...) the new configuration will be loaded automatically. Normally the only extra thing you need to di is enable incoming ftp connection but you have already got everything enabled. There is nothing else you need to do.
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.


Author Comment

ID: 11711772
1) u mean i can't test it from inside using the public ip address?

LVL 36

Expert Comment

ID: 11712991
Yes thats correct. One limitation of the PIX is that it will not allow a packet to go in and out of the same interface.
This limitation means then when you access the Internet side IP address it effectivly is going to the internet interface of the PIX and it wont allow the packet to come back in again through NAT to the server.
I normally have a DNS server inside the company which for ftp.mycompany.com issues the internal address of the server so all users use ftp.mycompany.com and it works seamlessly wherever they are.

Author Comment

ID: 11713546
2) just to confirm, currently, outside users are able to access it by using ftp://www.mycompany.com and inside user using the host name or the internal ip address, and if i want to make them to use ftp://mycompany.com, i will need to set it in the DNS server?

4) how do i set it in the DNS server? where is the DNS server usually? is it in the web server machine?

just out of curiosity, i want to compare the use of VPN and FTP for my mobile colleague to access our file server from outside office.. do u know anything about this? i want to compare on the setup process and the security.. if u don't know, do u know where i should post this question?

thanks a lottttt... =)
LVL 36

Expert Comment

ID: 11713652
2) Yes if you want to make outside users use ftp://mycompany.com you will need to add it to the DNS. If you want internal users to be able to use the same URL you will need to setup a DNS server for all internal users to use.

4) It depends. Commonly the registrar you registered your domain with manages and hosts the DNS for you. They often have a web based admin interface to change the DNS values.

VPN access to the file server will be a lot more secure. The problem with ftp is that the username/password is not encrypted so if you go somewhere and access your server anyone on the network could sniff the network traffic and discover your username/password.
The Cisco VPN client is fairly easy to install and I use it myself.

Author Comment

ID: 11722747
Hi thanks for the answer..
1)So the disadvantage of using ftp in this case is just the username and password right?
2)Do you mind explaining what are the items I need to setup for the VPN? I will double the points for you at the end since it's 2 different topics now.. please explain step by step coz i have no idea of what to do..never used VPN before =)

a)our main office (where i am located) is using pix firewall 506E, what do i need to do at this site? like what setting/configuration for the pix and for the file server?
b)what do i need to do at the mobile laptop site for the users to access when they are out of office?
c)what do i need to do at our branch office overseas to access our file server? they should be using a LAN there as well. what hardware/network configuration should i ensure to be available there?

LVL 36

Expert Comment

ID: 11723957
1) Yes basically. A VPN makes it look as if you are directly connected to the remote network via a router with all the data being encrypted. A VPN will slow down traffic by approx 10-15% because the VPN packets are larger.

2a)  Shown below is some configuration you can cut and paste into you PIX :)

!--- Implisically permit VPN users to access all internal machines.
!--- This command must be present.
sysopt connection permit-ipsec
!--- Define a transform set using DES encryption and MD5 authentication
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
!--- IPSEC applies to outside interface
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400

!--- Define a split-tunnel ACL so that all traffic to these addresses are sent across the VPN.
!--- All other traffic is sent across the Internet normally.
access-list splitTunnelAcl permit ip any
!--- Define address pools for the vpn user groups
ip local pool staffpool
!--- Don't perform NAT between internal machines and VPN users
access-list inside_outbound_nat0_acl permit ip
nat (inside) 0 access-list inside_outbound_nat0_acl
!--- Staff group used by staff members to connect to LAN and transfer files.
vpngroup groupstaff address-pool staffpool
!--- We want staff to be able to access our intenal DNS and WINS server to resolve machine names
vpngroup groupstaff dns-server 192.168.0.whatever
vpngroup groupstaff wins-server 192.168.0.whatever
vpngroup groupstaff default-domain mydomain.com
vpngroup groupstaff split-tunnel splitTunnelAcl
!--- Use our internal DNS server for looking up our machines but let the client use its normal
!--- DNS server for other sites.
vpngroup groupstaff split-dns mydomain.com
vpngroup groupstaff idle-time 1800
vpngroup groupstaff password putyourpasswordhere

b) Just install the Cisco VPN client that came with the PIX 501 and configure it with the server, group name and password. All the users then need to do is connect and they can access your internal severs. My comfiguration above included split tunneling and split DNS so that users can access the internet at the same time as being connected to your network. You can turn this off if you want.

c) The best approach would be to get a PIX for the remote site and configure a fixed VPN between the two PIX firewalls. I haven't done this myself but there are lots of examples on the Cisco website here:-

Author Comment

ID: 11732449
hi.. thanks for your answer..however i'm away from office now and won't be back until sometime in next week(maybe wed/thurs).. so i'll give your solution a try by then..i hope u don't mind waiting..

in the mean time, i want to ask the followings..please bear with my question. i think they sounded stupid but i really have no idea regading this.. so i'll just shoot..
1) how to install the vpn client? i need to install it at the main office right?
2) how do users connect from outside?what do they need to set up at the mobile laptop?
LVL 36

Expert Comment

ID: 11733438
1) You just log into the notebook with someone with administrator rights on it and run the installation program.

2) They have to connect to the internet and then run the vpn client. The vpn client has to be configured where to connect to but you will set this up after you install it.

Author Comment

ID: 11733468
i now am unsure whether my pix has the vpn client included..coz i can't find the installation program. mine is pix506e and i've been going thru lots of documents about it but i still don't know whether the vpn client is included..
if not included, how can i get it? or is there any other way to connect besides vpn client?
LVL 36

Accepted Solution

grblades earned 400 total points
ID: 11733546
If it does not come with it you can buy a media CD from Cisco.

Author Comment

ID: 11817731
hi..sorry for the delay..i can't do much with the solution now.. i'll just award you with the point first..thanks for your help!!

Author Comment

ID: 11817743
i have tried to increase the points.. but it still shows as 100 points..
LVL 36

Expert Comment

ID: 11818172
If you wish you can post a topic called 'Points for grblades' and post the URL to it here and then accept my answer when I reply to it.
This is the standard way of awarding extra points when you have a problem increasing them as you did.


Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses
Course of the Month14 days, 7 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question