?
Solved

Pix Firewall issues

Posted on 2006-05-31
3
Medium Priority
?
576 Views
Last Modified: 2013-11-16
I'm having issues with a PIX 501 firewall.  First trouble was trying to figure out why an FTP service is not accessible on a Windows Server 2003 machine with no firewall (because RRAS is enabled).  The same FTP service runs fine on a separate Win XP machine with the Windows Firewall enabled and TCP port 21 allowed.

I have fixup enabled for ftp.

3 public IPs - one pix and two machines behind pix.
PIX LAN IP: 192.168.2.1
WIN SERVER 2003 LAN IP: 192.168.2.5 --> FTP, SMTP, RRAS
WIN XP LAN IP: 192.168.2.10 --> FTP

Another strange thing that I noticed is the following:

Locally, when I telnet to 192.168.2.5 25 - I get the following response:
220 domain.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at  We
d, 31 May 2006 11:06:15 -0400

Remotely, when I telnet to the public IP that is forwarded to 192.168.2.5 for TCP port 25, I get:
220 ****************************
**********200*****0******0*00

I do receive mail, but that isn't normal is it?


0
Comment
Question by:wynbryant
  • 2
3 Comments
 

Author Comment

by:wynbryant
ID: 16799539
current running config:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl_out permit tcp any host wan.ip.xxx.211 eq www

access-list acl_out permit tcp any host wan.ip.xxx.211 eq https

access-list acl_out permit tcp any host wan.ip.xxx.211 eq pptp

access-list acl_out permit udp any host wan.ip.xxx.211 eq isakmp

access-list acl_out permit gre any host wan.ip.xxx.211

access-list acl_out permit tcp any host wan.ip.xxx.211 eq smtp

access-list acl_out permit tcp any host wan.ip.xxx.212 eq ftp

access-list acl_out permit tcp any host wan.ip.xxx.212 eq 3389

access-list acl_out permit tcp any host wan.ip.xxx.211 eq 3389

access-list acl_out permit tcp any host wan.ip.xxx.211 eq ftp

access-list acl_out permit tcp any host wan.ip.xxx.211 eq ftp-data

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside wan.ip.xxx.210 255.255.255.240

ip address inside 192.168.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.2.5 255.255.255.255 inside

pdm location 192.168.100.0 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) wan.ip.xxx.212 192.168.2.10 netmask 255.255.255.255 0 0

static (inside,outside) wan.ip.xxx.211 192.168.2.5 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 wan.ip.xxx.209 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable
         
sysopt connection permit-pptp

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80


: end

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 16800247
Easy ones first:

>fixup protocol smtp 25
This is what is causing the anomoly when you try to telnet to port 25 from outside. It is a security "feature"
You have to disable this fixup if you enable anti-relay features of Exchange

 no fixup protocol smtp 25


>access-list acl_out permit tcp any host wan.ip.xxx.212 eq ftp
         <== missing ftp-data
>access-list acl_out permit tcp any host wan.ip.xxx.211 eq ftp
>access-list acl_out permit tcp any host wan.ip.xxx.211 eq ftp-data

For one of the servers you have both ftp and ftp-data allowed, for the other one you only have ftp allowed. Suggest adding another line:
    access-list acl_out permit tcp any host wan.ip.xxx.212 eq ftp-data
0
 

Author Comment

by:wynbryant
ID: 16811918
no fixup smtp was right on.

The issue with FTP was actually resolved by using a different application.  I found some documentation about Cerberus FTP not handling PASV port ranges appropriately.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month13 days, 22 hours left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question