Solved

URGENT! - Cannot get ftp to work on DMZ!

Posted on 2004-09-08
4
321 Views
Last Modified: 2010-04-09
I have a PIX 525 that I am in the middle of configuring.  I have three interface inside, outside and DMZ. The inside is 192.168.12.0 /24 the DMZ is 192.168.11.0 / 28 and I have six external IP addresses.

I need to be able to give users on the outside a public IP address and the users on the inside either the privatre or public address. I have tried to follow a config from Cisco, but it has gone horribly wrong!

I have the ftp server sitting on the dmz as 192.168.11.1 and the PIX interface as 192.168.11.14 (all IP addresses have been changed to protect the inocent ie me!) the Outside interface is 68. 157.105.2, the gateway is 68.157.105.1 the address I want the users to use is 68.157.105.3 for FTP and I have set a PAT up on 68.157.105.4 for all the inside to outside connections

This is the problem, if I FTP to the external address then I receive a message saying the host is connected then does nothing and drops, if I ftp from the inside network to the DMZ address of the ftp server I instantly receive an error message saying unknown error number!

Here is what I have done:

name 192.168.11.1 ftpserver
access-list Inbound_ACL permit tcp any host ftpserver eq ftp
global outside 1 68.157.105.4
nat inside 1 192.168.12.0 255.255.255.0 0 0
nat dmz 1 192.168.11.0 255.255.255.240
static dmz,outside 68.157.105.3 ftpserver netmask 255.255.255.255 0 0
access-group Inbound_ACL in interface outside
route outside 0.0.0.0 0.0.0.0 68.157.105.1
fixup protocol ftp 21


The FTP server is running on W2K server and is the new WS FTP server from ipswitch. If I plug a machine into the DMZ lan and FTP to it there in no problem!

Can someone please point me in the right direction... I have to have this working for tomorrow morning and at the moment it looks like I am toast!

Thanks Kevin
0
Comment
Question by:kjorviss
  • 2
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
If you are on the inside network and want to FTP to the public IP, you have to use Alias and dns doctoring, or simply use the private IP. Only outside users can use the public IP.

If you are on the inside network and want to FTP to the 192.168.11.1 address, then you need a global for the dmz:
you should have something like this:

global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 192.168.12.0 255.255.255.0 0 0
nat (dmz) 1 192.168.11.0 255.255.255.0

0
 

Author Comment

by:kjorviss
Comment Utility
Thanks for that, that sorted it (and me) out.

One more thing... (famous last words) If I FTP to the server using a DOS shell, then there is no problem or time dely etc. If I use a GUI client such as WS FTP Pro or Vandykes Absolute FTP it will either not get the directory listing or take a very long time to get the directory listing. I noticed in the status windows of both programs it gets stuck when the PASV command is sent.

Any Ideas? WSFTP Server has a setting entiltled "Firewall" that give me the option of entering the IP address of the Firewall, (very explicit) "To change the IP Address used in response to the PASV command" It then gives me a box I can enter a range of ports in above 1024 for the data connection...

What would I put in the address field? the IP Address of the DMZ interface, the Virtual address I am using or the outside address of the PIX. And which ports would I use? Is this something extra that has to be catered for in the PIX?

Thanks

Kevin
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
You have seen the affect of using Passive vs Active FTP. DOS-shell is Active FTP by default.
Active FTP uses TCP ports 20/21 exclusively.
Passive FTP uses TCP port 21 and random high ports > 1024
Apparently, your ftp application allows you to specifiy this high port so that you can create the appropriate acl entry in the firewall. I would think that the Ip address of the firewall entry would be your DMZ interface of the firewall itself (local to the FTP server). If that does not work, then try the public IP that you have mapped to it.
0
 

Author Comment

by:kjorviss
Comment Utility
Thanks for that, that worked fine. I gave the ftp server a range of ports and the DMZ address.

Kevin
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now