[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

PIX 515E w/DMZ - FTP issues

Posted on 2004-11-17
6
Medium Priority
?
1,085 Views
Last Modified: 2010-04-09
Hi

I have a web server on the PIX 515E DMZ. I need to open ftp access and thought I have the PIX configured to allow ftp traffic. However when I attempt to ftp to the web server, I immediatly get a message 'connection closed by remote host'. This problem exists from the inside (LAN) and outside (Internet). Is there something amiss in my PIX configuration?

*****************************************************************************************
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
fixup protocol dns maximum-length 512
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside-in permit icmp any any
access-list outside-in permit tcp any host x.x.x.x eq smtp
access-list outside-in permit tcp any host x.x.x.x eq pcanywhere-data
access-list outside-in permit udp any host x.x.x.x eq pcanywhere-status
access-list outside-in permit tcp any host x.x.x.x eq citrix-ica
access-list outside-in permit tcp any host x.x.x.x eq www
access-list outside-in permit tcp any host x.x.x.x eq ftp
access-list outside-in permit tcp any host x.x.x.x eq ftp-data
access-list outside-in permit tcp any host x.x.x.x eq pcanywhere-data
access-list outside-in permit tcp any host x.x.x.x eq 5632
access-list dmz permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside x.x.x.x 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 172.16.1.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 172.16.0.0 255.255.0.0 0 0
static (inside,outside) tcp interface pcanywhere-data 192.168.1.6 pcanywhere-data netmask 255.255.255.255 0 0
static (inside,outside) udp interface pcanywhere-status 192.168.1.6 5631 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 192.168.1.3 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.x 192.168.1.4 netmask 255.255.255.255 0 0
static (dmz,outside) x.x.x.x 172.16.1.2 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
access-group outside-in in interface outside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
[OK]
0
Comment
Question by:netman70
6 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 12609402
Which FTP server are you running on 172.16.1.2?   Is it IIS or some other application.   I assume you have tried "Passive Mode" on the client for the ftp?  
 

0
 

Author Comment

by:netman70
ID: 12609485
FTP server is on IIS.... and I have tried using the ftp client in "passive mode". I haven't checked the server yet...want to make sure there is nothing wrong with the pix configuration
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12611370
Have you tried it with the fixup enabled?

>no fixup protocol ftp 21

enable it:
   fixup protocol ftp 21
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:netman70
ID: 12613864
Tried and tested....no good.
0
 
LVL 9

Accepted Solution

by:
jjoseph_x earned 1500 total points
ID: 12658849
You might need to modify the registry to force Passive Mode to use a specific port (http://support.microsoft.com/?kbid=810639), then allow access to that port on in your Access List.

In regular FTP the client opens a control session on port 21 and it's the server that initiates the data session on port 20 (which, unfortunately, doesn't work when you're doing a NAT).  With passive mode the server tells the FTP client which port to use for the data transmission (port 21 is the for control session).  Normally it's a random port, which of course means that you won't know what port to open on the PIX for the data session.

So one solution is to for your FTP server to use a specific port for Passive Mode and open that port on your firewall.

I hope that helps.
0
 
LVL 1

Expert Comment

by:Blackduke77
ID: 12701762
the only thing i can see and i may be wrong is the natting can you acess the server any other way

you are natting with this statment

nat (dmz) 1 172.16.0.0 255.255.0.0 0 0

surely it should be
nat (dmz) 1 172.16.1.0 255.255.0.0 0 0


also

access-list dmz permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list dmz permit ip 172.16.1.0 255.255.0.0 192.168.1.0 255.255.255.0

what is the DMZ ip range

and the access list you have on the outside interface will only allow port FTP not passive



looks like the subnets are wrong does any thing else work

you have all the bits statics, access lists, natting, and no nats so I think it is those IP's


take a look at my config hope it helps

PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto
interface ethernet2 vlan1 physical
interface ethernet2 vlan2 logical
interface ethernet2 vlan3 logical
interface ethernet2 vlan4 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif vlan2 edi security40
nameif vlan3 cvpn security60
nameif vlan4 dmz_vlan security55

hostname xxxPIX
domain-name wrt
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 172.16.xx.xx wffexch

access-list outside_access_in permit esp any host xxx.xxx.30.1
access-list outside_access_in permit tcp any host xxx.xxx.30.1 eq 10000
access-list outside_access_in permit udp any host xxx.xxx.30.1 eq isakmp        
access-list outside_access_in permit udp any host xxx.xxx.30.1 eq 4500
access-list outside_access_in permit tcp any host xxx.xxx.30.1 eq pptp
access-list outside_access_in permit gre any host xxx.xxx.30.1
access-list outside_access_in permit tcp any host xxx.xxx.30.15 eq www
access-list dmz_vlan_access_out permit tcp host wffexch any eq www
access-list dmz_vlan_access_out permit tcp host wffexch any eq https
access-list dmz_vlan_access_out permit tcp host wffexch any eq domain
access-list dmz_vlan_access_out permit udp host wffexch any eq domain
pager lines 24
logging on
logging timestamp
logging standby
logging trap warnings
logging host inside 172.16.xx.xx
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.xxx.30.xxx 255.255.255.0
ip address inside 172.16.xx.xx 255.255.254.0
ip address dmz_vlan 172.16.xx.xx 255.255.254.0
ip audit info action alarm
ip audit attack action alarm

pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (dmz_vlan) 10 0.0.0.0 0.0.0.0 0 0

static (inside,dmz_vlan) 172.16.44.0 172.16.44.0 netmask 255.255.254.0 0 0
static (dmz_vlan,outside) xxx.xxx.30.xx wffexch netmask 255.255.255.255 0 0


access-group outside_access_in in interface outside
access-group dmz_vlan_access_out in interface dmz_vlan



route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question