• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 455
  • Last Modified:

PIX 506e and iis 6

Hi all,

I have installed and configured IIS 6 on my windows 2003 sp1 server. Now i want to access FTP and view my websites from outside world. We have Cisco pix 506e (with device manager 3.0) what do i have to do on my pix in order to access FTP and view my websites ?

Thanks
0
aucklandnz
Asked:
aucklandnz
  • 14
  • 11
  • 4
  • +1
2 Solutions
 
Rick HobbsRETIREDCommented:
Add a rule allowing FTP and do a NAT translation from the outside interface on port 25 to the ftp server internally.
Add a rule allowing HTTP and do a NAT translation from the outside on port 80 to the HTTP server internally.
0
 
aucklandnzAuthor Commented:
thanks for the reply,

im new to Cisco, would you know command lines by any chance ?

Thanks
0
 
Rick HobbsRETIREDCommented:
fixup protocol ftp 21
fixup protocol http 80
access-list acl_inbound permit tcp any host xxx.xxx.xxx.xxx eq www
access-list acl_inbound permit tcp any host xxx.xxx.xxx.xxx eq ftp
access-group acl_inbound in interface outside


where xxx.xxx.xxx.xxx are the address or addresses of the inside host


These are the command line interface commands.
0
Rewarding opportunities for women in IT

Across the nation, technology jobs are vacant because there aren’t enough qualified professionals to fill them. With a degree from WGU, you can get the credentials it takes to become an in-demand IT professional. Plus, WGU’s IT programs include industry certifications.

 
Rick HobbsRETIREDCommented:
Sorry, I forgot the static nat maps:

static (inside,outside) xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy netmask 255.255.255.255 0 0

where xxx.xxx.xxx.xxx are the address or addresses of the inside host(s)
where yyy.yyy.yyy.yyy is the address of the outside interface
0
 
rsivanandanCommented:
I presume, you don't have a spare public ip address ? If so, you need to have port forwarding instead of static nats;

static (inside,outside) tcp interface 21 <InternalIPOfWebServer) 21
static (inside,outside) tcp interface 80 <InternalIPOfWebServer) 80

access-list <Name> permit tcp any interface outside eq 21
access-list <Name> permit tcp any interface outside eq 80

Cheers,
Rajesh
0
 
Rick HobbsRETIREDCommented:
Rajesh is correct.  If you only have a single external IP address, the static and access-list command should be in the format he has used.
0
 
aucklandnzAuthor Commented:
thx.

i did the following
fixup protocol ftp 21
access-list acl_inbound permit tcp any host xxx.xxx.xxx.xxx eq ftp
access-group acl_inbound in interface outside

but i cannot connet to my ftp.

i put sh run and i can see the changes i made. (didt save anythink just yet.)

thx
0
 
JoesmailCommented:
Make sure the host xxx.xxx.xxx.xxx is the outside address your using.

If you have a spare ip address you should use a static 1 -1 map and apply the acl_permit access-list

static (inside,outside) 203.33.44.55 192.168.1.2 netmask 255.255.255.255

access-list acl_inbound permit tcp any host 203.33.44.55 eq ftp
access-group acl_inbound in interface outside
 
0
 
Rick HobbsRETIREDCommented:
Can you access the FTP server on your LAN? ( have you made sure it is working internally?)
0
 
aucklandnzAuthor Commented:
Hi,

Yes i can access ftp on the lan.

ok so if i will put the following lines it should work, right ?
fixup protocol ftp 21
access-list acl_inbound permit tcp any host (myFTPServer)eq ftp
static (inside,outside) tcp interface 21 <InternalIPOfWebServer) 21
access-group acl_inbound in interface outside


thanks a lot
0
 
Rick HobbsRETIREDCommented:
That is correct, sir!
0
 
aucklandnzAuthor Commented:
does my ftp server have to be part of my domain ?
0
 
JoesmailCommented:
Hi aucklander.

http://support.microsoft.com/?kbid=323384

Where the following article says to "allow only anonymous connections" remove this and choose "integrated windows authentication" only.  This should be the only checkbox shown.

Then create the a local windows account "ftpuser" with a password that does not expire.  Then give this user read/write access to the directory where you configured "home directory" in the article above.
0
 
aucklandnzAuthor Commented:
FTP is working :)

what lines do i have to put to access my website ?

thanks
0
 
JoesmailCommented:
If you want each of your users to supply their own domain account username then create a domain group and give it the access you need to the ftp directory.

There is a new feature in Windows 2003 ftp service that allows each user to have their own ftp user directory.  This feature is called "user isolation", this article explains it.

http://www.windowsnetworking.com/articles_tutorials/Creating-Configuring-FTP.html
0
 
JoesmailCommented:
Hi Aucklander.

Supply me your config here:  (remember to remove the actual ip addresses).

I will post the changes you will need to make to access it externally.
0
 
Rick HobbsRETIREDCommented:
fixup protocol http 80
access-list acl_inbound permit tcp any host xxx.xxx.xxx.xxx eq www
0
 
Rick HobbsRETIREDCommented:
of course xxx.xxx.xxx.xxx is the inside ftp server address
0
 
aucklandnzAuthor Commented:
hi,

ok all i did to access my ftp was
fixup protocol ftp 21
access-list acl_inbound permit tcp any host 192.168.0.131 eq ftp
static (inside,outside) tcp interface 21 192.168.0.131 21
access-list acl_inbound permit tcp any host <external ip> eq ftp
access-group acl_inbound in interface outside

FTP is workin !!!

now i want to be able to view my website so i put the following lines:

access-list acl_inbound permit tcp any host 192.168.0.131 eq www
static (inside,outside) tcp interface 80 192.168.0.131 80 (here im getting an error - invalid global port 192.168.0.131)
access-list acl_inbound permit tcp any host <external ip> eq 80
access-group acl_inbound in interface outside

i cannot view my website.

Thanks
0
 
Rick HobbsRETIREDCommented:
fixup protocol http 80
access-list acl_inbound permit tcp any host <extermal IP> eq www
static (inside,outside) tcp interface 80 192.168.0.131 80


fourth line is already there.


This should work!  check for typing error.
0
 
Rick HobbsRETIREDCommented:
if it doesn't, try
fixup protocol http 80
access-list acl_inbound permit tcp any host any eq www
static (inside,outside) tcp interface www 192.168.0.131 www
0
 
aucklandnzAuthor Commented:
im getting error:
duplicate of existing static after this line:
static (inside,outside) tcp interface 80 192.168.0.131 80


thanks
0
 
Rick HobbsRETIREDCommented:
Can you do a show run | include static change the external IP addresses and paste it here?
0
 
rsivanandanCommented:
For http, you'll have to disable the http server on pix firewall or run your webserver on a different port.

static (inside,outside) tcp interface 8080 192.168.0.131 80

Cheers,
Rajesh
0
 
Rick HobbsRETIREDCommented:
I forgot all about the management web server.  The devil is in the details.   Thanks Rajesh!
0
 
aucklandnzAuthor Commented:
hi,

i dont really want to paste my config on here, would you be able to help me without seeing the whole config ?

thx
0
 
Rick HobbsRETIREDCommented:
The answer from Rajesh is the solution.  Either change the port your web server runs on or do a no http server to turn off the web management on the PIX.  It is no problem to paste your config here, just change the external addresses and remove the password lines before posting.
0
 
aucklandnzAuthor Commented:
im running webmarshal on port 8080 would it be a problem ?
0
 
rsivanandanCommented:
Ok, if that port is occupied then use another one. You could pick something like 8081, not a problem.

Cheers,
Rajesh
0
 
aucklandnzAuthor Commented:
Thanks guys
u rock, if i have any probs with accessing websites i will post a new post.

Thanks once again
Chris
0
 
aucklandnzAuthor Commented:
How can i assign some points to Rejesh as he contribiuted a lot aswell. Thanks Rejesh !!!!!
0
 
rsivanandanCommented:
I thought I helped you get it configured ???

Cheers,
Rajesh
0
 
Rick HobbsRETIREDCommented:
Glad I could help.  In the future, right above the comment area there should be a link to split points.  Just select that link and you can assign the point to as many experts as you want.  I don't know if there is any way to do it now.
0

Featured Post

Rewarding opportunities for women in IT

Across the nation, technology jobs are vacant because there aren’t enough qualified professionals to fill them. With a degree from WGU, you can get the credentials it takes to become an in-demand IT professional. Plus, WGU’s IT programs include industry certifications.

  • 14
  • 11
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now