?
Solved

CISCO Pix 500 - FTP error

Posted on 2005-03-05
8
Medium Priority
?
245 Views
Last Modified: 2013-11-16
Hello,

We have recently installed a PIX firewall in our small organization and everything works fine except for one thing....We cannot seem to download or connect to anything through ftp. I have an access-list for the inside and the outside interface that opens the ftp and ftp-data ports. And I can connect to our ftp server inside the network from outside, but I cannot connect from inside the network to any ftp site externally. Any ideas on what else has to be opened for ftp? Also, we have two public IP addresses and ftp is opened on each ip using the access-list statement. Thanks.
0
Comment
Question by:rgtechsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 300 total points
ID: 13470406
Try removing the access-list from the inside interface. In a small network, this is very seldom needed.
Do you have fixup protocol ftp 21 enabled?
0
 

Author Comment

by:rgtechsupport
ID: 13471177
Well at first I did not have it enabled and I could not connect from internally nor from externally. I enabled it and now i can connect from the outside, but still not from the inside. Thanks.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13471307
>but still not from the inside
If you're trying to ftp to the public IP from the inside - you can't. You have to use the private IP from the inside.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 

Author Comment

by:rgtechsupport
ID: 13472071
Right, I understand that, but what I mean is I cannot connect to any ftp site from inside the network. I cannot download anything from any ftp site. Let's say a driver off of HP's website...it is from their ftp site, that doesn't work. Anything that entails ftp does not work from inside the network.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13472657
Try removing the access-list from the inside interface.
0
 
LVL 3

Expert Comment

by:skpruett
ID: 13476376
Hi rgtechsupport,
Any way we can see a copy of the config? It might help diagnose your problem quicker. Change your public IP's  on the config copy to something generic, say 99.99.99.X for example to keep your network anonymous.

-skpruett
0
 

Author Comment

by:rgtechsupport
ID: 13477281
Hey guys,

It seems that everything is now working. All I did was enable the fixup protocol for ftp and now I can connect from externally and from internally. What exactly is the fixup protocol and what does it do? Here is my config anyway, so you can see....



User Access Verification

pixfirewall(config)# show config
: Saved
: Written by enable_15 at 15:57:54.156 UTC Fri Mar 4 2005
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit tcp any host xxx.xxx.xxx.xx9 eq telnet
access-list 101 permit tcp any host xxx.xxx.xxx.xx9 eq ftp
access-list 101 permit tcp any host xxx.xxx.xxx.xx9 eq www
access-list 101 permit icmp any any
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq 2048
access-list 101 permit tcp any any eq 2443
access-list 101 permit tcp any any range 2048 3600
access-list 101 permit tcp any any eq ftp-data
access-list 101 permit tcp any host xxx.xxx.xxx.xx8 eq 32000
access-list 101 permit tcp any host xxx.xxx.xxx.xx8 eq www
access-list 101 permit tcp any host xxx.xxx.xxx.xx8 eq ftp
access-list 101 permit tcp any host xxx.xxx.xxx.xx8 eq telnet
access-list 101 permit tcp any host xxx.xxx.xxx.xx8 eq 3389
access-list 101 permit tcp any host xxx.xxx.xxx.xx8 eq 3391
access-list 101 permit tcp any host xxx.xxx.xxx.xx8 eq 3390
access-list 102 permit icmp any any
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq domain
access-list 102 permit udp any any eq domain
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any any eq ftp
access-list 102 permit tcp any any eq ftp-data
access-list 102 permit tcp any any eq https
access-list 102 permit tcp any any eq ssh
access-list 102 permit tcp any any eq telnet
access-list 102 permit tcp any any eq 3389
access-list 102 permit tcp any any eq 1433
access-list 102 permit tcp any any eq 2048
access-list 102 permit tcp any any range 2048 3600
access-list 102 permit tcp any any eq 24874
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.xxx.xxx 255.255.255.248
ip address inside xxx.xxx.xxx.xxx 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 xxx.xxx.xxx.xx9
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 3390 xxx.xxx.xxx.xxx 3390 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 32000 xxx.xxx.xxx.xxx 32000 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp xxx.xxx.xxx.xxx smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 xxx.xxx.xxx.xxx pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www xxx.xxx.xxx.xxx www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface ftp xxx.xxx.xxx.xxx ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3391 xxx.xxx.xxx.xxx 3391 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 3389 xxx.xxx.xxx.xxx 3389 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xx9 xxx.xxx.xxx.xxx netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group 102 in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (outside) host 10.0.1.2 xxxxxx timeout 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
crypto map mymap client authentication TACACS+
telnet 10.0.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:56e813232de1f977725bd7e9f2f9eaf4
pixfirewall(config)#
0
 
LVL 3

Assisted Solution

by:skpruett
skpruett earned 200 total points
ID: 13477381
Straight from the Cisco website, here's way too much detail on fixup. :)

Q: What the fixup protocols are and how they work?
A:
To define the fixup protocols, perform these steps:

The PIX Firewall''s fixup commands tell the PIX Firewall to perform additional application inspection on the specified protocols. This additional inspection is needed on some protocols, because some protocols include the source IP address within the data payload of the packet.

If the PIX Firewall is using Network Address Translation (NAT) on the packet, it must locate the embedded IP within the packet and apply NAT to it.

Other protocols may initiate connections on a given port and then open up additional connections on mutually agreed upon ports. FTP and H323 are most notable for doing this.


The port value for most protocols can be changed. For example, this is necessary if an FTP server is set up to listen on port 2100.
In such cases, add the additional fixup protocol ftp 2100 command.

Most fixup protocols are enabled by default. For a complete list of fixup protocols, issue the help fixup command.

The fixup protocol command is global. The changes made affect both inbound and outbound connections. These changes cannot be restricted to a specific connection or translation.

0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question