wynbryant
asked on
Pix Firewall issues
I'm having issues with a PIX 501 firewall. First trouble was trying to figure out why an FTP service is not accessible on a Windows Server 2003 machine with no firewall (because RRAS is enabled). The same FTP service runs fine on a separate Win XP machine with the Windows Firewall enabled and TCP port 21 allowed.
I have fixup enabled for ftp.
3 public IPs - one pix and two machines behind pix.
PIX LAN IP: 192.168.2.1
WIN SERVER 2003 LAN IP: 192.168.2.5 --> FTP, SMTP, RRAS
WIN XP LAN IP: 192.168.2.10 --> FTP
Another strange thing that I noticed is the following:
Locally, when I telnet to 192.168.2.5 25 - I get the following response:
220 domain.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at We
d, 31 May 2006 11:06:15 -0400
Remotely, when I telnet to the public IP that is forwarded to 192.168.2.5 for TCP port 25, I get:
220 ************************** **
**********200*****0******0 *00
I do receive mail, but that isn't normal is it?
I have fixup enabled for ftp.
3 public IPs - one pix and two machines behind pix.
PIX LAN IP: 192.168.2.1
WIN SERVER 2003 LAN IP: 192.168.2.5 --> FTP, SMTP, RRAS
WIN XP LAN IP: 192.168.2.10 --> FTP
Another strange thing that I noticed is the following:
Locally, when I telnet to 192.168.2.5 25 - I get the following response:
220 domain.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at We
d, 31 May 2006 11:06:15 -0400
Remotely, when I telnet to the public IP that is forwarded to 192.168.2.5 for TCP port 25, I get:
220 **************************
**********200*****0******0
I do receive mail, but that isn't normal is it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
no fixup smtp was right on.
The issue with FTP was actually resolved by using a different application. I found some documentation about Cerberus FTP not handling PASV port ranges appropriately.
The issue with FTP was actually resolved by using a different application. I found some documentation about Cerberus FTP not handling PASV port ranges appropriately.
ASKER
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_out permit tcp any host wan.ip.xxx.211 eq www
access-list acl_out permit tcp any host wan.ip.xxx.211 eq https
access-list acl_out permit tcp any host wan.ip.xxx.211 eq pptp
access-list acl_out permit udp any host wan.ip.xxx.211 eq isakmp
access-list acl_out permit gre any host wan.ip.xxx.211
access-list acl_out permit tcp any host wan.ip.xxx.211 eq smtp
access-list acl_out permit tcp any host wan.ip.xxx.212 eq ftp
access-list acl_out permit tcp any host wan.ip.xxx.212 eq 3389
access-list acl_out permit tcp any host wan.ip.xxx.211 eq 3389
access-list acl_out permit tcp any host wan.ip.xxx.211 eq ftp
access-list acl_out permit tcp any host wan.ip.xxx.211 eq ftp-data
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside wan.ip.xxx.210 255.255.255.240
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.2.5 255.255.255.255 inside
pdm location 192.168.100.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) wan.ip.xxx.212 192.168.2.10 netmask 255.255.255.255 0 0
static (inside,outside) wan.ip.xxx.211 192.168.2.5 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 wan.ip.xxx.209 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end