Pix Firewall issues

I'm having issues with a PIX 501 firewall.  First trouble was trying to figure out why an FTP service is not accessible on a Windows Server 2003 machine with no firewall (because RRAS is enabled).  The same FTP service runs fine on a separate Win XP machine with the Windows Firewall enabled and TCP port 21 allowed.

I have fixup enabled for ftp.

3 public IPs - one pix and two machines behind pix.
PIX LAN IP: 192.168.2.1
WIN SERVER 2003 LAN IP: 192.168.2.5 --> FTP, SMTP, RRAS
WIN XP LAN IP: 192.168.2.10 --> FTP

Another strange thing that I noticed is the following:

Locally, when I telnet to 192.168.2.5 25 - I get the following response:
220 domain.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at  We
d, 31 May 2006 11:06:15 -0400

Remotely, when I telnet to the public IP that is forwarded to 192.168.2.5 for TCP port 25, I get:
220 ****************************
**********200*****0******0*00

I do receive mail, but that isn't normal is it?


wynbryantAsked:
Who is Participating?
 
lrmooreCommented:
Easy ones first:

>fixup protocol smtp 25
This is what is causing the anomoly when you try to telnet to port 25 from outside. It is a security "feature"
You have to disable this fixup if you enable anti-relay features of Exchange

 no fixup protocol smtp 25


>access-list acl_out permit tcp any host wan.ip.xxx.212 eq ftp
         <== missing ftp-data
>access-list acl_out permit tcp any host wan.ip.xxx.211 eq ftp
>access-list acl_out permit tcp any host wan.ip.xxx.211 eq ftp-data

For one of the servers you have both ftp and ftp-data allowed, for the other one you only have ftp allowed. Suggest adding another line:
    access-list acl_out permit tcp any host wan.ip.xxx.212 eq ftp-data
0
 
wynbryantAuthor Commented:
current running config:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl_out permit tcp any host wan.ip.xxx.211 eq www

access-list acl_out permit tcp any host wan.ip.xxx.211 eq https

access-list acl_out permit tcp any host wan.ip.xxx.211 eq pptp

access-list acl_out permit udp any host wan.ip.xxx.211 eq isakmp

access-list acl_out permit gre any host wan.ip.xxx.211

access-list acl_out permit tcp any host wan.ip.xxx.211 eq smtp

access-list acl_out permit tcp any host wan.ip.xxx.212 eq ftp

access-list acl_out permit tcp any host wan.ip.xxx.212 eq 3389

access-list acl_out permit tcp any host wan.ip.xxx.211 eq 3389

access-list acl_out permit tcp any host wan.ip.xxx.211 eq ftp

access-list acl_out permit tcp any host wan.ip.xxx.211 eq ftp-data

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside wan.ip.xxx.210 255.255.255.240

ip address inside 192.168.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.168.2.5 255.255.255.255 inside

pdm location 192.168.100.0 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) wan.ip.xxx.212 192.168.2.10 netmask 255.255.255.255 0 0

static (inside,outside) wan.ip.xxx.211 192.168.2.5 netmask 255.255.255.255 0 0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 wan.ip.xxx.209 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable
         
sysopt connection permit-pptp

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80


: end

0
 
wynbryantAuthor Commented:
no fixup smtp was right on.

The issue with FTP was actually resolved by using a different application.  I found some documentation about Cerberus FTP not handling PASV port ranges appropriately.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.