Solved

URGENT! - Cannot get ftp to work on DMZ!

Posted on 2004-09-08
4
322 Views
Last Modified: 2010-04-09
I have a PIX 525 that I am in the middle of configuring.  I have three interface inside, outside and DMZ. The inside is 192.168.12.0 /24 the DMZ is 192.168.11.0 / 28 and I have six external IP addresses.

I need to be able to give users on the outside a public IP address and the users on the inside either the privatre or public address. I have tried to follow a config from Cisco, but it has gone horribly wrong!

I have the ftp server sitting on the dmz as 192.168.11.1 and the PIX interface as 192.168.11.14 (all IP addresses have been changed to protect the inocent ie me!) the Outside interface is 68. 157.105.2, the gateway is 68.157.105.1 the address I want the users to use is 68.157.105.3 for FTP and I have set a PAT up on 68.157.105.4 for all the inside to outside connections

This is the problem, if I FTP to the external address then I receive a message saying the host is connected then does nothing and drops, if I ftp from the inside network to the DMZ address of the ftp server I instantly receive an error message saying unknown error number!

Here is what I have done:

name 192.168.11.1 ftpserver
access-list Inbound_ACL permit tcp any host ftpserver eq ftp
global outside 1 68.157.105.4
nat inside 1 192.168.12.0 255.255.255.0 0 0
nat dmz 1 192.168.11.0 255.255.255.240
static dmz,outside 68.157.105.3 ftpserver netmask 255.255.255.255 0 0
access-group Inbound_ACL in interface outside
route outside 0.0.0.0 0.0.0.0 68.157.105.1
fixup protocol ftp 21


The FTP server is running on W2K server and is the new WS FTP server from ipswitch. If I plug a machine into the DMZ lan and FTP to it there in no problem!

Can someone please point me in the right direction... I have to have this working for tomorrow morning and at the moment it looks like I am toast!

Thanks Kevin
0
Comment
Question by:kjorviss
  • 2
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12012532
If you are on the inside network and want to FTP to the public IP, you have to use Alias and dns doctoring, or simply use the private IP. Only outside users can use the public IP.

If you are on the inside network and want to FTP to the 192.168.11.1 address, then you need a global for the dmz:
you should have something like this:

global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 192.168.12.0 255.255.255.0 0 0
nat (dmz) 1 192.168.11.0 255.255.255.0

0
 

Author Comment

by:kjorviss
ID: 12012945
Thanks for that, that sorted it (and me) out.

One more thing... (famous last words) If I FTP to the server using a DOS shell, then there is no problem or time dely etc. If I use a GUI client such as WS FTP Pro or Vandykes Absolute FTP it will either not get the directory listing or take a very long time to get the directory listing. I noticed in the status windows of both programs it gets stuck when the PASV command is sent.

Any Ideas? WSFTP Server has a setting entiltled "Firewall" that give me the option of entering the IP address of the Firewall, (very explicit) "To change the IP Address used in response to the PASV command" It then gives me a box I can enter a range of ports in above 1024 for the data connection...

What would I put in the address field? the IP Address of the DMZ interface, the Virtual address I am using or the outside address of the PIX. And which ports would I use? Is this something extra that has to be catered for in the PIX?

Thanks

Kevin
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12015088
You have seen the affect of using Passive vs Active FTP. DOS-shell is Active FTP by default.
Active FTP uses TCP ports 20/21 exclusively.
Passive FTP uses TCP port 21 and random high ports > 1024
Apparently, your ftp application allows you to specifiy this high port so that you can create the appropriate acl entry in the firewall. I would think that the Ip address of the firewall entry would be your DMZ interface of the firewall itself (local to the FTP server). If that does not work, then try the public IP that you have mapped to it.
0
 

Author Comment

by:kjorviss
ID: 12016779
Thanks for that, that worked fine. I gave the ftp server a range of ports and the DMZ address.

Kevin
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now