Solved

PIX 506e and iis 6

Posted on 2006-07-19
34
440 Views
Last Modified: 2013-11-29
Hi all,

I have installed and configured IIS 6 on my windows 2003 sp1 server. Now i want to access FTP and view my websites from outside world. We have Cisco pix 506e (with device manager 3.0) what do i have to do on my pix in order to access FTP and view my websites ?

Thanks
0
Comment
Question by:aucklandnz
  • 14
  • 11
  • 4
  • +1
34 Comments
 
LVL 22

Expert Comment

by:rickhobbs
ID: 17143551
Add a rule allowing FTP and do a NAT translation from the outside interface on port 25 to the ftp server internally.
Add a rule allowing HTTP and do a NAT translation from the outside on port 80 to the HTTP server internally.
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 17143558
thanks for the reply,

im new to Cisco, would you know command lines by any chance ?

Thanks
0
 
LVL 22

Accepted Solution

by:
rickhobbs earned 250 total points
ID: 17143569
fixup protocol ftp 21
fixup protocol http 80
access-list acl_inbound permit tcp any host xxx.xxx.xxx.xxx eq www
access-list acl_inbound permit tcp any host xxx.xxx.xxx.xxx eq ftp
access-group acl_inbound in interface outside


where xxx.xxx.xxx.xxx are the address or addresses of the inside host


These are the command line interface commands.
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 17143586
Sorry, I forgot the static nat maps:

static (inside,outside) xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy netmask 255.255.255.255 0 0

where xxx.xxx.xxx.xxx are the address or addresses of the inside host(s)
where yyy.yyy.yyy.yyy is the address of the outside interface
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 250 total points
ID: 17143637
I presume, you don't have a spare public ip address ? If so, you need to have port forwarding instead of static nats;

static (inside,outside) tcp interface 21 <InternalIPOfWebServer) 21
static (inside,outside) tcp interface 80 <InternalIPOfWebServer) 80

access-list <Name> permit tcp any interface outside eq 21
access-list <Name> permit tcp any interface outside eq 80

Cheers,
Rajesh
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 17143652
Rajesh is correct.  If you only have a single external IP address, the static and access-list command should be in the format he has used.
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 17143655
thx.

i did the following
fixup protocol ftp 21
access-list acl_inbound permit tcp any host xxx.xxx.xxx.xxx eq ftp
access-group acl_inbound in interface outside

but i cannot connet to my ftp.

i put sh run and i can see the changes i made. (didt save anythink just yet.)

thx
0
 
LVL 10

Expert Comment

by:Joesmail
ID: 17145338
Make sure the host xxx.xxx.xxx.xxx is the outside address your using.

If you have a spare ip address you should use a static 1 -1 map and apply the acl_permit access-list

static (inside,outside) 203.33.44.55 192.168.1.2 netmask 255.255.255.255

access-list acl_inbound permit tcp any host 203.33.44.55 eq ftp
access-group acl_inbound in interface outside
 
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 17145401
Can you access the FTP server on your LAN? ( have you made sure it is working internally?)
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 17149996
Hi,

Yes i can access ftp on the lan.

ok so if i will put the following lines it should work, right ?
fixup protocol ftp 21
access-list acl_inbound permit tcp any host (myFTPServer)eq ftp
static (inside,outside) tcp interface 21 <InternalIPOfWebServer) 21
access-group acl_inbound in interface outside


thanks a lot
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 17150397
That is correct, sir!
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 17150513
does my ftp server have to be part of my domain ?
0
 
LVL 10

Expert Comment

by:Joesmail
ID: 17150674
Hi aucklander.

http://support.microsoft.com/?kbid=323384

Where the following article says to "allow only anonymous connections" remove this and choose "integrated windows authentication" only.  This should be the only checkbox shown.

Then create the a local windows account "ftpuser" with a password that does not expire.  Then give this user read/write access to the directory where you configured "home directory" in the article above.
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 17150680
FTP is working :)

what lines do i have to put to access my website ?

thanks
0
 
LVL 10

Expert Comment

by:Joesmail
ID: 17150696
If you want each of your users to supply their own domain account username then create a domain group and give it the access you need to the ftp directory.

There is a new feature in Windows 2003 ftp service that allows each user to have their own ftp user directory.  This feature is called "user isolation", this article explains it.

http://www.windowsnetworking.com/articles_tutorials/Creating-Configuring-FTP.html
0
 
LVL 10

Expert Comment

by:Joesmail
ID: 17150712
Hi Aucklander.

Supply me your config here:  (remember to remove the actual ip addresses).

I will post the changes you will need to make to access it externally.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 22

Expert Comment

by:rickhobbs
ID: 17150868
fixup protocol http 80
access-list acl_inbound permit tcp any host xxx.xxx.xxx.xxx eq www
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 17150874
of course xxx.xxx.xxx.xxx is the inside ftp server address
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 17150903
hi,

ok all i did to access my ftp was
fixup protocol ftp 21
access-list acl_inbound permit tcp any host 192.168.0.131 eq ftp
static (inside,outside) tcp interface 21 192.168.0.131 21
access-list acl_inbound permit tcp any host <external ip> eq ftp
access-group acl_inbound in interface outside

FTP is workin !!!

now i want to be able to view my website so i put the following lines:

access-list acl_inbound permit tcp any host 192.168.0.131 eq www
static (inside,outside) tcp interface 80 192.168.0.131 80 (here im getting an error - invalid global port 192.168.0.131)
access-list acl_inbound permit tcp any host <external ip> eq 80
access-group acl_inbound in interface outside

i cannot view my website.

Thanks
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 17150927
fixup protocol http 80
access-list acl_inbound permit tcp any host <extermal IP> eq www
static (inside,outside) tcp interface 80 192.168.0.131 80


fourth line is already there.


This should work!  check for typing error.
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 17150972
if it doesn't, try
fixup protocol http 80
access-list acl_inbound permit tcp any host any eq www
static (inside,outside) tcp interface www 192.168.0.131 www
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 17150974
im getting error:
duplicate of existing static after this line:
static (inside,outside) tcp interface 80 192.168.0.131 80


thanks
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 17151084
Can you do a show run | include static change the external IP addresses and paste it here?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17151344
For http, you'll have to disable the http server on pix firewall or run your webserver on a different port.

static (inside,outside) tcp interface 8080 192.168.0.131 80

Cheers,
Rajesh
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 17151442
I forgot all about the management web server.  The devil is in the details.   Thanks Rajesh!
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 17151444
hi,

i dont really want to paste my config on here, would you be able to help me without seeing the whole config ?

thx
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 17151454
The answer from Rajesh is the solution.  Either change the port your web server runs on or do a no http server to turn off the web management on the PIX.  It is no problem to paste your config here, just change the external addresses and remove the password lines before posting.
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 17151538
im running webmarshal on port 8080 would it be a problem ?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17151756
Ok, if that port is occupied then use another one. You could pick something like 8081, not a problem.

Cheers,
Rajesh
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 17151801
Thanks guys
u rock, if i have any probs with accessing websites i will post a new post.

Thanks once again
Chris
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 17151813
How can i assign some points to Rejesh as he contribiuted a lot aswell. Thanks Rejesh !!!!!
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17151837
I thought I helped you get it configured ???

Cheers,
Rajesh
0
 
LVL 22

Expert Comment

by:rickhobbs
ID: 17154224
Glad I could help.  In the future, right above the comment area there should be a link to split points.  Just select that link and you can assign the point to as many experts as you want.  I don't know if there is any way to do it now.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now