?
Solved

URGENT! - Cannot get ftp to work on DMZ!

Posted on 2004-09-08
4
Medium Priority
?
326 Views
Last Modified: 2010-04-09
I have a PIX 525 that I am in the middle of configuring.  I have three interface inside, outside and DMZ. The inside is 192.168.12.0 /24 the DMZ is 192.168.11.0 / 28 and I have six external IP addresses.

I need to be able to give users on the outside a public IP address and the users on the inside either the privatre or public address. I have tried to follow a config from Cisco, but it has gone horribly wrong!

I have the ftp server sitting on the dmz as 192.168.11.1 and the PIX interface as 192.168.11.14 (all IP addresses have been changed to protect the inocent ie me!) the Outside interface is 68. 157.105.2, the gateway is 68.157.105.1 the address I want the users to use is 68.157.105.3 for FTP and I have set a PAT up on 68.157.105.4 for all the inside to outside connections

This is the problem, if I FTP to the external address then I receive a message saying the host is connected then does nothing and drops, if I ftp from the inside network to the DMZ address of the ftp server I instantly receive an error message saying unknown error number!

Here is what I have done:

name 192.168.11.1 ftpserver
access-list Inbound_ACL permit tcp any host ftpserver eq ftp
global outside 1 68.157.105.4
nat inside 1 192.168.12.0 255.255.255.0 0 0
nat dmz 1 192.168.11.0 255.255.255.240
static dmz,outside 68.157.105.3 ftpserver netmask 255.255.255.255 0 0
access-group Inbound_ACL in interface outside
route outside 0.0.0.0 0.0.0.0 68.157.105.1
fixup protocol ftp 21


The FTP server is running on W2K server and is the new WS FTP server from ipswitch. If I plug a machine into the DMZ lan and FTP to it there in no problem!

Can someone please point me in the right direction... I have to have this working for tomorrow morning and at the moment it looks like I am toast!

Thanks Kevin
0
Comment
Question by:kjorviss
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12012532
If you are on the inside network and want to FTP to the public IP, you have to use Alias and dns doctoring, or simply use the private IP. Only outside users can use the public IP.

If you are on the inside network and want to FTP to the 192.168.11.1 address, then you need a global for the dmz:
you should have something like this:

global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 192.168.12.0 255.255.255.0 0 0
nat (dmz) 1 192.168.11.0 255.255.255.0

0
 

Author Comment

by:kjorviss
ID: 12012945
Thanks for that, that sorted it (and me) out.

One more thing... (famous last words) If I FTP to the server using a DOS shell, then there is no problem or time dely etc. If I use a GUI client such as WS FTP Pro or Vandykes Absolute FTP it will either not get the directory listing or take a very long time to get the directory listing. I noticed in the status windows of both programs it gets stuck when the PASV command is sent.

Any Ideas? WSFTP Server has a setting entiltled "Firewall" that give me the option of entering the IP address of the Firewall, (very explicit) "To change the IP Address used in response to the PASV command" It then gives me a box I can enter a range of ports in above 1024 for the data connection...

What would I put in the address field? the IP Address of the DMZ interface, the Virtual address I am using or the outside address of the PIX. And which ports would I use? Is this something extra that has to be catered for in the PIX?

Thanks

Kevin
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12015088
You have seen the affect of using Passive vs Active FTP. DOS-shell is Active FTP by default.
Active FTP uses TCP ports 20/21 exclusively.
Passive FTP uses TCP port 21 and random high ports > 1024
Apparently, your ftp application allows you to specifiy this high port so that you can create the appropriate acl entry in the firewall. I would think that the Ip address of the firewall entry would be your DMZ interface of the firewall itself (local to the FTP server). If that does not work, then try the public IP that you have mapped to it.
0
 

Author Comment

by:kjorviss
ID: 12016779
Thanks for that, that worked fine. I gave the ftp server a range of ports and the DMZ address.

Kevin
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question