Solved

PIX 506e and iis 6

Posted on 2006-07-19
34
446 Views
Last Modified: 2013-11-29
Hi all,

I have installed and configured IIS 6 on my windows 2003 sp1 server. Now i want to access FTP and view my websites from outside world. We have Cisco pix 506e (with device manager 3.0) what do i have to do on my pix in order to access FTP and view my websites ?

Thanks
0
Comment
Question by:aucklandnz
  • 14
  • 11
  • 4
  • +1
34 Comments
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 17143551
Add a rule allowing FTP and do a NAT translation from the outside interface on port 25 to the ftp server internally.
Add a rule allowing HTTP and do a NAT translation from the outside on port 80 to the HTTP server internally.
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 17143558
thanks for the reply,

im new to Cisco, would you know command lines by any chance ?

Thanks
0
 
LVL 22

Accepted Solution

by:
Rick Hobbs earned 250 total points
ID: 17143569
fixup protocol ftp 21
fixup protocol http 80
access-list acl_inbound permit tcp any host xxx.xxx.xxx.xxx eq www
access-list acl_inbound permit tcp any host xxx.xxx.xxx.xxx eq ftp
access-group acl_inbound in interface outside


where xxx.xxx.xxx.xxx are the address or addresses of the inside host


These are the command line interface commands.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 17143586
Sorry, I forgot the static nat maps:

static (inside,outside) xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy netmask 255.255.255.255 0 0
static (inside,outside) xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy netmask 255.255.255.255 0 0

where xxx.xxx.xxx.xxx are the address or addresses of the inside host(s)
where yyy.yyy.yyy.yyy is the address of the outside interface
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 250 total points
ID: 17143637
I presume, you don't have a spare public ip address ? If so, you need to have port forwarding instead of static nats;

static (inside,outside) tcp interface 21 <InternalIPOfWebServer) 21
static (inside,outside) tcp interface 80 <InternalIPOfWebServer) 80

access-list <Name> permit tcp any interface outside eq 21
access-list <Name> permit tcp any interface outside eq 80

Cheers,
Rajesh
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 17143652
Rajesh is correct.  If you only have a single external IP address, the static and access-list command should be in the format he has used.
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 17143655
thx.

i did the following
fixup protocol ftp 21
access-list acl_inbound permit tcp any host xxx.xxx.xxx.xxx eq ftp
access-group acl_inbound in interface outside

but i cannot connet to my ftp.

i put sh run and i can see the changes i made. (didt save anythink just yet.)

thx
0
 
LVL 10

Expert Comment

by:Joesmail
ID: 17145338
Make sure the host xxx.xxx.xxx.xxx is the outside address your using.

If you have a spare ip address you should use a static 1 -1 map and apply the acl_permit access-list

static (inside,outside) 203.33.44.55 192.168.1.2 netmask 255.255.255.255

access-list acl_inbound permit tcp any host 203.33.44.55 eq ftp
access-group acl_inbound in interface outside
 
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 17145401
Can you access the FTP server on your LAN? ( have you made sure it is working internally?)
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 17149996
Hi,

Yes i can access ftp on the lan.

ok so if i will put the following lines it should work, right ?
fixup protocol ftp 21
access-list acl_inbound permit tcp any host (myFTPServer)eq ftp
static (inside,outside) tcp interface 21 <InternalIPOfWebServer) 21
access-group acl_inbound in interface outside


thanks a lot
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 17150397
That is correct, sir!
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 17150513
does my ftp server have to be part of my domain ?
0
 
LVL 10

Expert Comment

by:Joesmail
ID: 17150674
Hi aucklander.

http://support.microsoft.com/?kbid=323384

Where the following article says to "allow only anonymous connections" remove this and choose "integrated windows authentication" only.  This should be the only checkbox shown.

Then create the a local windows account "ftpuser" with a password that does not expire.  Then give this user read/write access to the directory where you configured "home directory" in the article above.
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 17150680
FTP is working :)

what lines do i have to put to access my website ?

thanks
0
 
LVL 10

Expert Comment

by:Joesmail
ID: 17150696
If you want each of your users to supply their own domain account username then create a domain group and give it the access you need to the ftp directory.

There is a new feature in Windows 2003 ftp service that allows each user to have their own ftp user directory.  This feature is called "user isolation", this article explains it.

http://www.windowsnetworking.com/articles_tutorials/Creating-Configuring-FTP.html
0
 
LVL 10

Expert Comment

by:Joesmail
ID: 17150712
Hi Aucklander.

Supply me your config here:  (remember to remove the actual ip addresses).

I will post the changes you will need to make to access it externally.
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 17150868
fixup protocol http 80
access-list acl_inbound permit tcp any host xxx.xxx.xxx.xxx eq www
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 17150874
of course xxx.xxx.xxx.xxx is the inside ftp server address
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 17150903
hi,

ok all i did to access my ftp was
fixup protocol ftp 21
access-list acl_inbound permit tcp any host 192.168.0.131 eq ftp
static (inside,outside) tcp interface 21 192.168.0.131 21
access-list acl_inbound permit tcp any host <external ip> eq ftp
access-group acl_inbound in interface outside

FTP is workin !!!

now i want to be able to view my website so i put the following lines:

access-list acl_inbound permit tcp any host 192.168.0.131 eq www
static (inside,outside) tcp interface 80 192.168.0.131 80 (here im getting an error - invalid global port 192.168.0.131)
access-list acl_inbound permit tcp any host <external ip> eq 80
access-group acl_inbound in interface outside

i cannot view my website.

Thanks
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 17150927
fixup protocol http 80
access-list acl_inbound permit tcp any host <extermal IP> eq www
static (inside,outside) tcp interface 80 192.168.0.131 80


fourth line is already there.


This should work!  check for typing error.
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 17150972
if it doesn't, try
fixup protocol http 80
access-list acl_inbound permit tcp any host any eq www
static (inside,outside) tcp interface www 192.168.0.131 www
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 17150974
im getting error:
duplicate of existing static after this line:
static (inside,outside) tcp interface 80 192.168.0.131 80


thanks
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 17151084
Can you do a show run | include static change the external IP addresses and paste it here?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17151344
For http, you'll have to disable the http server on pix firewall or run your webserver on a different port.

static (inside,outside) tcp interface 8080 192.168.0.131 80

Cheers,
Rajesh
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 17151442
I forgot all about the management web server.  The devil is in the details.   Thanks Rajesh!
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 17151444
hi,

i dont really want to paste my config on here, would you be able to help me without seeing the whole config ?

thx
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 17151454
The answer from Rajesh is the solution.  Either change the port your web server runs on or do a no http server to turn off the web management on the PIX.  It is no problem to paste your config here, just change the external addresses and remove the password lines before posting.
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 17151538
im running webmarshal on port 8080 would it be a problem ?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17151756
Ok, if that port is occupied then use another one. You could pick something like 8081, not a problem.

Cheers,
Rajesh
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 17151801
Thanks guys
u rock, if i have any probs with accessing websites i will post a new post.

Thanks once again
Chris
0
 
LVL 3

Author Comment

by:aucklandnz
ID: 17151813
How can i assign some points to Rejesh as he contribiuted a lot aswell. Thanks Rejesh !!!!!
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17151837
I thought I helped you get it configured ???

Cheers,
Rajesh
0
 
LVL 22

Expert Comment

by:Rick Hobbs
ID: 17154224
Glad I could help.  In the future, right above the comment area there should be a link to split points.  Just select that link and you can assign the point to as many experts as you want.  I don't know if there is any way to do it now.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question