Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 250
  • Last Modified:

CISCO Pix 500 - FTP error

Hello,

We have recently installed a PIX firewall in our small organization and everything works fine except for one thing....We cannot seem to download or connect to anything through ftp. I have an access-list for the inside and the outside interface that opens the ftp and ftp-data ports. And I can connect to our ftp server inside the network from outside, but I cannot connect from inside the network to any ftp site externally. Any ideas on what else has to be opened for ftp? Also, we have two public IP addresses and ftp is opened on each ip using the access-list statement. Thanks.
0
rgtechsupport
Asked:
rgtechsupport
  • 3
  • 3
  • 2
2 Solutions
 
lrmooreCommented:
Try removing the access-list from the inside interface. In a small network, this is very seldom needed.
Do you have fixup protocol ftp 21 enabled?
0
 
rgtechsupportAuthor Commented:
Well at first I did not have it enabled and I could not connect from internally nor from externally. I enabled it and now i can connect from the outside, but still not from the inside. Thanks.
0
 
lrmooreCommented:
>but still not from the inside
If you're trying to ftp to the public IP from the inside - you can't. You have to use the private IP from the inside.
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
rgtechsupportAuthor Commented:
Right, I understand that, but what I mean is I cannot connect to any ftp site from inside the network. I cannot download anything from any ftp site. Let's say a driver off of HP's website...it is from their ftp site, that doesn't work. Anything that entails ftp does not work from inside the network.
0
 
lrmooreCommented:
Try removing the access-list from the inside interface.
0
 
skpruettCommented:
Hi rgtechsupport,
Any way we can see a copy of the config? It might help diagnose your problem quicker. Change your public IP's  on the config copy to something generic, say 99.99.99.X for example to keep your network anonymous.

-skpruett
0
 
rgtechsupportAuthor Commented:
Hey guys,

It seems that everything is now working. All I did was enable the fixup protocol for ftp and now I can connect from externally and from internally. What exactly is the fixup protocol and what does it do? Here is my config anyway, so you can see....



User Access Verification

pixfirewall(config)# show config
: Saved
: Written by enable_15 at 15:57:54.156 UTC Fri Mar 4 2005
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host xxx.xxx.xxx.xx9 eq telnet
access-list 101 permit tcp any host xxx.xxx.xxx.xx9 eq ftp
access-list 101 permit tcp any host xxx.xxx.xxx.xx9 eq www
access-list 101 permit icmp any any
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq 2048
access-list 101 permit tcp any any eq 2443
access-list 101 permit tcp any any range 2048 3600
access-list 101 permit tcp any any eq ftp-data
access-list 101 permit tcp any host xxx.xxx.xxx.xx8 eq 32000
access-list 101 permit tcp any host xxx.xxx.xxx.xx8 eq www
access-list 101 permit tcp any host xxx.xxx.xxx.xx8 eq ftp
access-list 101 permit tcp any host xxx.xxx.xxx.xx8 eq telnet
access-list 101 permit tcp any host xxx.xxx.xxx.xx8 eq 3389
access-list 101 permit tcp any host xxx.xxx.xxx.xx8 eq 3391
access-list 101 permit tcp any host xxx.xxx.xxx.xx8 eq 3390
access-list 102 permit icmp any any
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq domain
access-list 102 permit udp any any eq domain
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any any eq ftp
access-list 102 permit tcp any any eq ftp-data
access-list 102 permit tcp any any eq https
access-list 102 permit tcp any any eq ssh
access-list 102 permit tcp any any eq telnet
access-list 102 permit tcp any any eq 3389
access-list 102 permit tcp any any eq 1433
access-list 102 permit tcp any any eq 2048
access-list 102 permit tcp any any range 2048 3600
access-list 102 permit tcp any any eq 24874
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.248
ip address inside xxx.xxx.xxx.xxx 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 xxx.xxx.xxx.xx9
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3390 xxx.xxx.xxx.xxx 3390 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 32000 xxx.xxx.xxx.xxx 32000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp xxx.xxx.xxx.xxx smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 xxx.xxx.xxx.xxx pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www xxx.xxx.xxx.xxx www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp xxx.xxx.xxx.xxx ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3391 xxx.xxx.xxx.xxx 3391 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 xxx.xxx.xxx.xxx 3389 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xx9 xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group 102 in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (outside) host 10.0.1.2 xxxxxx timeout 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto map mymap client authentication TACACS+
telnet 10.0.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:56e813232de1f977725bd7e9f2f9eaf4
pixfirewall(config)#
0
 
skpruettCommented:
Straight from the Cisco website, here's way too much detail on fixup. :)

Q: What the fixup protocols are and how they work?
A:
To define the fixup protocols, perform these steps:

The PIX Firewall''s fixup commands tell the PIX Firewall to perform additional application inspection on the specified protocols. This additional inspection is needed on some protocols, because some protocols include the source IP address within the data payload of the packet.

If the PIX Firewall is using Network Address Translation (NAT) on the packet, it must locate the embedded IP within the packet and apply NAT to it.

Other protocols may initiate connections on a given port and then open up additional connections on mutually agreed upon ports. FTP and H323 are most notable for doing this.


The port value for most protocols can be changed. For example, this is necessary if an FTP server is set up to listen on port 2100.
In such cases, add the additional fixup protocol ftp 2100 command.

Most fixup protocols are enabled by default. For a complete list of fixup protocols, issue the help fixup command.

The fixup protocol command is global. The changes made affect both inbound and outbound connections. These changes cannot be restricted to a specific connection or translation.

0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now