Solved

URGENT! - Cannot get ftp to work on DMZ!

Posted on 2004-09-08
4
323 Views
Last Modified: 2010-04-09
I have a PIX 525 that I am in the middle of configuring.  I have three interface inside, outside and DMZ. The inside is 192.168.12.0 /24 the DMZ is 192.168.11.0 / 28 and I have six external IP addresses.

I need to be able to give users on the outside a public IP address and the users on the inside either the privatre or public address. I have tried to follow a config from Cisco, but it has gone horribly wrong!

I have the ftp server sitting on the dmz as 192.168.11.1 and the PIX interface as 192.168.11.14 (all IP addresses have been changed to protect the inocent ie me!) the Outside interface is 68. 157.105.2, the gateway is 68.157.105.1 the address I want the users to use is 68.157.105.3 for FTP and I have set a PAT up on 68.157.105.4 for all the inside to outside connections

This is the problem, if I FTP to the external address then I receive a message saying the host is connected then does nothing and drops, if I ftp from the inside network to the DMZ address of the ftp server I instantly receive an error message saying unknown error number!

Here is what I have done:

name 192.168.11.1 ftpserver
access-list Inbound_ACL permit tcp any host ftpserver eq ftp
global outside 1 68.157.105.4
nat inside 1 192.168.12.0 255.255.255.0 0 0
nat dmz 1 192.168.11.0 255.255.255.240
static dmz,outside 68.157.105.3 ftpserver netmask 255.255.255.255 0 0
access-group Inbound_ACL in interface outside
route outside 0.0.0.0 0.0.0.0 68.157.105.1
fixup protocol ftp 21


The FTP server is running on W2K server and is the new WS FTP server from ipswitch. If I plug a machine into the DMZ lan and FTP to it there in no problem!

Can someone please point me in the right direction... I have to have this working for tomorrow morning and at the moment it looks like I am toast!

Thanks Kevin
0
Comment
Question by:kjorviss
  • 2
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12012532
If you are on the inside network and want to FTP to the public IP, you have to use Alias and dns doctoring, or simply use the private IP. Only outside users can use the public IP.

If you are on the inside network and want to FTP to the 192.168.11.1 address, then you need a global for the dmz:
you should have something like this:

global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 192.168.12.0 255.255.255.0 0 0
nat (dmz) 1 192.168.11.0 255.255.255.0

0
 

Author Comment

by:kjorviss
ID: 12012945
Thanks for that, that sorted it (and me) out.

One more thing... (famous last words) If I FTP to the server using a DOS shell, then there is no problem or time dely etc. If I use a GUI client such as WS FTP Pro or Vandykes Absolute FTP it will either not get the directory listing or take a very long time to get the directory listing. I noticed in the status windows of both programs it gets stuck when the PASV command is sent.

Any Ideas? WSFTP Server has a setting entiltled "Firewall" that give me the option of entering the IP address of the Firewall, (very explicit) "To change the IP Address used in response to the PASV command" It then gives me a box I can enter a range of ports in above 1024 for the data connection...

What would I put in the address field? the IP Address of the DMZ interface, the Virtual address I am using or the outside address of the PIX. And which ports would I use? Is this something extra that has to be catered for in the PIX?

Thanks

Kevin
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12015088
You have seen the affect of using Passive vs Active FTP. DOS-shell is Active FTP by default.
Active FTP uses TCP ports 20/21 exclusively.
Passive FTP uses TCP port 21 and random high ports > 1024
Apparently, your ftp application allows you to specifiy this high port so that you can create the appropriate acl entry in the firewall. I would think that the Ip address of the firewall entry would be your DMZ interface of the firewall itself (local to the FTP server). If that does not work, then try the public IP that you have mapped to it.
0
 

Author Comment

by:kjorviss
ID: 12016779
Thanks for that, that worked fine. I gave the ftp server a range of ports and the DMZ address.

Kevin
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 10 firewall service won't start 5 209
What's a good Free Firewall Program for Mac OS? 7 47
Palo Alto Networks Global Protect 2 121
PCAnywhere 2 121
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question