?
Solved

URGENT! - Cannot get ftp to work on DMZ!

Posted on 2004-09-08
4
Medium Priority
?
327 Views
Last Modified: 2010-04-09
I have a PIX 525 that I am in the middle of configuring.  I have three interface inside, outside and DMZ. The inside is 192.168.12.0 /24 the DMZ is 192.168.11.0 / 28 and I have six external IP addresses.

I need to be able to give users on the outside a public IP address and the users on the inside either the privatre or public address. I have tried to follow a config from Cisco, but it has gone horribly wrong!

I have the ftp server sitting on the dmz as 192.168.11.1 and the PIX interface as 192.168.11.14 (all IP addresses have been changed to protect the inocent ie me!) the Outside interface is 68. 157.105.2, the gateway is 68.157.105.1 the address I want the users to use is 68.157.105.3 for FTP and I have set a PAT up on 68.157.105.4 for all the inside to outside connections

This is the problem, if I FTP to the external address then I receive a message saying the host is connected then does nothing and drops, if I ftp from the inside network to the DMZ address of the ftp server I instantly receive an error message saying unknown error number!

Here is what I have done:

name 192.168.11.1 ftpserver
access-list Inbound_ACL permit tcp any host ftpserver eq ftp
global outside 1 68.157.105.4
nat inside 1 192.168.12.0 255.255.255.0 0 0
nat dmz 1 192.168.11.0 255.255.255.240
static dmz,outside 68.157.105.3 ftpserver netmask 255.255.255.255 0 0
access-group Inbound_ACL in interface outside
route outside 0.0.0.0 0.0.0.0 68.157.105.1
fixup protocol ftp 21


The FTP server is running on W2K server and is the new WS FTP server from ipswitch. If I plug a machine into the DMZ lan and FTP to it there in no problem!

Can someone please point me in the right direction... I have to have this working for tomorrow morning and at the moment it looks like I am toast!

Thanks Kevin
0
Comment
Question by:kjorviss
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12012532
If you are on the inside network and want to FTP to the public IP, you have to use Alias and dns doctoring, or simply use the private IP. Only outside users can use the public IP.

If you are on the inside network and want to FTP to the 192.168.11.1 address, then you need a global for the dmz:
you should have something like this:

global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 192.168.12.0 255.255.255.0 0 0
nat (dmz) 1 192.168.11.0 255.255.255.0

0
 

Author Comment

by:kjorviss
ID: 12012945
Thanks for that, that sorted it (and me) out.

One more thing... (famous last words) If I FTP to the server using a DOS shell, then there is no problem or time dely etc. If I use a GUI client such as WS FTP Pro or Vandykes Absolute FTP it will either not get the directory listing or take a very long time to get the directory listing. I noticed in the status windows of both programs it gets stuck when the PASV command is sent.

Any Ideas? WSFTP Server has a setting entiltled "Firewall" that give me the option of entering the IP address of the Firewall, (very explicit) "To change the IP Address used in response to the PASV command" It then gives me a box I can enter a range of ports in above 1024 for the data connection...

What would I put in the address field? the IP Address of the DMZ interface, the Virtual address I am using or the outside address of the PIX. And which ports would I use? Is this something extra that has to be catered for in the PIX?

Thanks

Kevin
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12015088
You have seen the affect of using Passive vs Active FTP. DOS-shell is Active FTP by default.
Active FTP uses TCP ports 20/21 exclusively.
Passive FTP uses TCP port 21 and random high ports > 1024
Apparently, your ftp application allows you to specifiy this high port so that you can create the appropriate acl entry in the firewall. I would think that the Ip address of the firewall entry would be your DMZ interface of the firewall itself (local to the FTP server). If that does not work, then try the public IP that you have mapped to it.
0
 

Author Comment

by:kjorviss
ID: 12016779
Thanks for that, that worked fine. I gave the ftp server a range of ports and the DMZ address.

Kevin
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question