patsu
asked on
redirect ftp port at PIX506e
Hi,
My company is using PIX firewall 506e, version 6.1. The network configuration is :
Internet-->ADSL router-->PIX-->webserver, ftp server, other pc in the network.
I'm trying to setup the ftp server (using win2k3 server's ftp server), this machine's internal ip address is 192.168.0.13.
currently our company only has 2 public ip address, 1 used by the adsl router, and 1 used by the pix. we don't have proper documentation from the vendor who installed the network and the system and now it's impossible to contact them.
here's the configuration file of the pix at the time being:
--------------------------
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname mypix
domain-name company.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip any any
access-list 101 permit icmp any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xx1 255.255.255.252
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.0.10 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.0.10 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface domain 192.168.0.10 domain netmask 255.255.255.255 0 0
static (inside,outside) udp interface domain 192.168.0.10 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 143 192.168.0.10 143 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.0.10 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 22 192.168.0.10 22 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group 101 in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xx2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.0.9 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
--------------------------
i had tried to add :
static (inside,outside) tcp interface ftp 192.168.0.13 ftp netmask 255.255.255.255 0 0
but the ftp is not working.
i tried to access the ftp server internally by typing ftp://ftp_host_name from a pc in the network, it ask me for a user name and after i supply the password everything's ok.
so i guess the problem lies in the Pix setting.
How to set the pix and later how would i access the ftp from outside? is it by the ip address?
please give me a step by step explanation as i am a newbie at this. thanksssssssssssssssss
My company is using PIX firewall 506e, version 6.1. The network configuration is :
Internet-->ADSL router-->PIX-->webserver, ftp server, other pc in the network.
I'm trying to setup the ftp server (using win2k3 server's ftp server), this machine's internal ip address is 192.168.0.13.
currently our company only has 2 public ip address, 1 used by the adsl router, and 1 used by the pix. we don't have proper documentation from the vendor who installed the network and the system and now it's impossible to contact them.
here's the configuration file of the pix at the time being:
--------------------------
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname mypix
domain-name company.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip any any
access-list 101 permit icmp any any
pager lines 24
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xx1 255.255.255.252
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface smtp 192.168.0.10 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 192.168.0.10 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface domain 192.168.0.10 domain netmask 255.255.255.255 0 0
static (inside,outside) udp interface domain 192.168.0.10 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 143 192.168.0.10 143 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.0.10 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 22 192.168.0.10 22 netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group 101 in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xx2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.0.9 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
--------------------------
i had tried to add :
static (inside,outside) tcp interface ftp 192.168.0.13 ftp netmask 255.255.255.255 0 0
but the ftp is not working.
i tried to access the ftp server internally by typing ftp://ftp_host_name from a pc in the network, it ask me for a user name and after i supply the password everything's ok.
so i guess the problem lies in the Pix setting.
How to set the pix and later how would i access the ftp from outside? is it by the ip address?
please give me a step by step explanation as i am a newbie at this. thanksssssssssssssssss
Thanks for the reply
1)i had tried to open Internet Explorer and typed ftp://xxx.xxx.xxx.xx1 (from a PC inside the network) but i get error message: 'windows cannot open this folder, make sure u have typed the file name correctly or have the permission'
2) how to know that i have dns entry pointing to this ip address? as you can see in the Pix configuration, we also have a webserver. if i'm not wrong, the Pix also redirect http request to this particular webserver. we can access our website by using www.mycompany.com. does it mean from outside i can use ftp://mycompany.com?
3) after i did the configuration at the pix, i use write memory to save it to the flash memory. if i typed show config, i can see the new static command for the ftp there. this means that the command is inside right?
any other possible command that i need to add? how about the aaa ??
thankssss
1)i had tried to open Internet Explorer and typed ftp://xxx.xxx.xxx.xx1 (from a PC inside the network) but i get error message: 'windows cannot open this folder, make sure u have typed the file name correctly or have the permission'
2) how to know that i have dns entry pointing to this ip address? as you can see in the Pix configuration, we also have a webserver. if i'm not wrong, the Pix also redirect http request to this particular webserver. we can access our website by using www.mycompany.com. does it mean from outside i can use ftp://mycompany.com?
3) after i did the configuration at the pix, i use write memory to save it to the flash memory. if i typed show config, i can see the new static command for the ftp there. this means that the command is inside right?
any other possible command that i need to add? how about the aaa ??
thankssss
1) you will probably only be able to use ftp://xxx.xxx.xxx.xx1 from outside the network. From inside you will have to use its intrnal IP address.
2) You will be able to use ftp://www.mycompany.com. Whoever manages your DNS will be able to setup ftp.mycompany.com if you would prefer to use that or any other address.
3) As soon as you entered the static command it should have started working. Writing to flash will ensure that after the PIX is remooted (power cut etc...) the new configuration will be loaded automatically. Normally the only extra thing you need to di is enable incoming ftp connection but you have already got everything enabled. There is nothing else you need to do.
2) You will be able to use ftp://www.mycompany.com. Whoever manages your DNS will be able to setup ftp.mycompany.com if you would prefer to use that or any other address.
3) As soon as you entered the static command it should have started working. Writing to flash will ensure that after the PIX is remooted (power cut etc...) the new configuration will be loaded automatically. Normally the only extra thing you need to di is enable incoming ftp connection but you have already got everything enabled. There is nothing else you need to do.
ASKER
1) u mean i can't test it from inside using the public ip address?
thanks..
thanks..
Yes thats correct. One limitation of the PIX is that it will not allow a packet to go in and out of the same interface.
This limitation means then when you access the Internet side IP address it effectivly is going to the internet interface of the PIX and it wont allow the packet to come back in again through NAT to the server.
I normally have a DNS server inside the company which for ftp.mycompany.com issues the internal address of the server so all users use ftp.mycompany.com and it works seamlessly wherever they are.
This limitation means then when you access the Internet side IP address it effectivly is going to the internet interface of the PIX and it wont allow the packet to come back in again through NAT to the server.
I normally have a DNS server inside the company which for ftp.mycompany.com issues the internal address of the server so all users use ftp.mycompany.com and it works seamlessly wherever they are.
ASKER
2) just to confirm, currently, outside users are able to access it by using ftp://www.mycompany.com and inside user using the host name or the internal ip address, and if i want to make them to use ftp://mycompany.com, i will need to set it in the DNS server?
4) how do i set it in the DNS server? where is the DNS server usually? is it in the web server machine?
just out of curiosity, i want to compare the use of VPN and FTP for my mobile colleague to access our file server from outside office.. do u know anything about this? i want to compare on the setup process and the security.. if u don't know, do u know where i should post this question?
thanks a lottttt... =)
4) how do i set it in the DNS server? where is the DNS server usually? is it in the web server machine?
just out of curiosity, i want to compare the use of VPN and FTP for my mobile colleague to access our file server from outside office.. do u know anything about this? i want to compare on the setup process and the security.. if u don't know, do u know where i should post this question?
thanks a lottttt... =)
2) Yes if you want to make outside users use ftp://mycompany.com you will need to add it to the DNS. If you want internal users to be able to use the same URL you will need to setup a DNS server for all internal users to use.
4) It depends. Commonly the registrar you registered your domain with manages and hosts the DNS for you. They often have a web based admin interface to change the DNS values.
VPN access to the file server will be a lot more secure. The problem with ftp is that the username/password is not encrypted so if you go somewhere and access your server anyone on the network could sniff the network traffic and discover your username/password.
The Cisco VPN client is fairly easy to install and I use it myself.
4) It depends. Commonly the registrar you registered your domain with manages and hosts the DNS for you. They often have a web based admin interface to change the DNS values.
VPN access to the file server will be a lot more secure. The problem with ftp is that the username/password is not encrypted so if you go somewhere and access your server anyone on the network could sniff the network traffic and discover your username/password.
The Cisco VPN client is fairly easy to install and I use it myself.
ASKER
Hi thanks for the answer..
1)So the disadvantage of using ftp in this case is just the username and password right?
2)Do you mind explaining what are the items I need to setup for the VPN? I will double the points for you at the end since it's 2 different topics now.. please explain step by step coz i have no idea of what to do..never used VPN before =)
a)our main office (where i am located) is using pix firewall 506E, what do i need to do at this site? like what setting/configuration for the pix and for the file server?
b)what do i need to do at the mobile laptop site for the users to access when they are out of office?
c)what do i need to do at our branch office overseas to access our file server? they should be using a LAN there as well. what hardware/network configuration should i ensure to be available there?
THANKS!
1)So the disadvantage of using ftp in this case is just the username and password right?
2)Do you mind explaining what are the items I need to setup for the VPN? I will double the points for you at the end since it's 2 different topics now.. please explain step by step coz i have no idea of what to do..never used VPN before =)
a)our main office (where i am located) is using pix firewall 506E, what do i need to do at this site? like what setting/configuration for the pix and for the file server?
b)what do i need to do at the mobile laptop site for the users to access when they are out of office?
c)what do i need to do at our branch office overseas to access our file server? they should be using a LAN there as well. what hardware/network configuration should i ensure to be available there?
THANKS!
1) Yes basically. A VPN makes it look as if you are directly connected to the remote network via a router with all the data being encrypted. A VPN will slow down traffic by approx 10-15% because the VPN packets are larger.
2a) Shown below is some configuration you can cut and paste into you PIX :)
!--- Implisically permit VPN users to access all internal machines.
!--- This command must be present.
sysopt connection permit-ipsec
!--- Define a transform set using DES encryption and MD5 authentication
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
!--- IPSEC applies to outside interface
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
!--- Define a split-tunnel ACL so that all traffic to these addresses are sent across the VPN.
!--- All other traffic is sent across the Internet normally.
access-list splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any
!--- Define address pools for the vpn user groups
ip local pool staffpool 192.168.100.1-192.168.100.
!--- Don't perform NAT between internal machines and VPN users
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl
!--- Staff group used by staff members to connect to LAN and transfer files.
vpngroup groupstaff address-pool staffpool
!--- We want staff to be able to access our intenal DNS and WINS server to resolve machine names
vpngroup groupstaff dns-server 192.168.0.whatever
vpngroup groupstaff wins-server 192.168.0.whatever
vpngroup groupstaff default-domain mydomain.com
vpngroup groupstaff split-tunnel splitTunnelAcl
!--- Use our internal DNS server for looking up our machines but let the client use its normal
!--- DNS server for other sites.
vpngroup groupstaff split-dns mydomain.com
vpngroup groupstaff idle-time 1800
vpngroup groupstaff password putyourpasswordhere
b) Just install the Cisco VPN client that came with the PIX 501 and configure it with the server, group name and password. All the users then need to do is connect and they can access your internal severs. My comfiguration above included split tunneling and split DNS so that users can access the internet at the same time as being connected to your network. You can turn this off if you want.
c) The best approach would be to get a PIX for the remote site and configure a fixed VPN between the two PIX firewalls. I haven't done this myself but there are lots of examples on the Cisco website here:-
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
2a) Shown below is some configuration you can cut and paste into you PIX :)
!--- Implisically permit VPN users to access all internal machines.
!--- This command must be present.
sysopt connection permit-ipsec
!--- Define a transform set using DES encryption and MD5 authentication
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
!--- IPSEC applies to outside interface
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
!--- Define a split-tunnel ACL so that all traffic to these addresses are sent across the VPN.
!--- All other traffic is sent across the Internet normally.
access-list splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any
!--- Define address pools for the vpn user groups
ip local pool staffpool 192.168.100.1-192.168.100.
!--- Don't perform NAT between internal machines and VPN users
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list inside_outbound_nat0_acl
!--- Staff group used by staff members to connect to LAN and transfer files.
vpngroup groupstaff address-pool staffpool
!--- We want staff to be able to access our intenal DNS and WINS server to resolve machine names
vpngroup groupstaff dns-server 192.168.0.whatever
vpngroup groupstaff wins-server 192.168.0.whatever
vpngroup groupstaff default-domain mydomain.com
vpngroup groupstaff split-tunnel splitTunnelAcl
!--- Use our internal DNS server for looking up our machines but let the client use its normal
!--- DNS server for other sites.
vpngroup groupstaff split-dns mydomain.com
vpngroup groupstaff idle-time 1800
vpngroup groupstaff password putyourpasswordhere
b) Just install the Cisco VPN client that came with the PIX 501 and configure it with the server, group name and password. All the users then need to do is connect and they can access your internal severs. My comfiguration above included split tunneling and split DNS so that users can access the internet at the same time as being connected to your network. You can turn this off if you want.
c) The best approach would be to get a PIX for the remote site and configure a fixed VPN between the two PIX firewalls. I haven't done this myself but there are lots of examples on the Cisco website here:-
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html
ASKER
hi.. thanks for your answer..however i'm away from office now and won't be back until sometime in next week(maybe wed/thurs).. so i'll give your solution a try by then..i hope u don't mind waiting..
in the mean time, i want to ask the followings..please bear with my question. i think they sounded stupid but i really have no idea regading this.. so i'll just shoot..
1) how to install the vpn client? i need to install it at the main office right?
2) how do users connect from outside?what do they need to set up at the mobile laptop?
in the mean time, i want to ask the followings..please bear with my question. i think they sounded stupid but i really have no idea regading this.. so i'll just shoot..
1) how to install the vpn client? i need to install it at the main office right?
2) how do users connect from outside?what do they need to set up at the mobile laptop?
1) You just log into the notebook with someone with administrator rights on it and run the installation program.
2) They have to connect to the internet and then run the vpn client. The vpn client has to be configured where to connect to but you will set this up after you install it.
2) They have to connect to the internet and then run the vpn client. The vpn client has to be configured where to connect to but you will set this up after you install it.
ASKER
hi..
i now am unsure whether my pix has the vpn client included..coz i can't find the installation program. mine is pix506e and i've been going thru lots of documents about it but i still don't know whether the vpn client is included..
if not included, how can i get it? or is there any other way to connect besides vpn client?
i now am unsure whether my pix has the vpn client included..coz i can't find the installation program. mine is pix506e and i've been going thru lots of documents about it but i still don't know whether the vpn client is included..
if not included, how can i get it? or is there any other way to connect besides vpn client?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi..sorry for the delay..i can't do much with the solution now.. i'll just award you with the point first..thanks for your help!!
ASKER
i have tried to increase the points.. but it still shows as 100 points..
If you wish you can post a topic called 'Points for grblades' and post the URL to it here and then accept my answer when I reply to it.
This is the standard way of awarding extra points when you have a problem increasing them as you did.
Thanks
Gareth
This is the standard way of awarding extra points when you have a problem increasing them as you did.
Thanks
Gareth
ASKER
static (inside,outside) tcp interface ftp 192.168.0.13 ftp netmask 255.255.255.255 0 0
From outside you will need to connect to the external IP address of the PIX which you have listed as xxx.xxx.xxx.xx1
If you have a DNS entry pointing to this IP address then you can use that instead.