daniml
asked on
Cisco PIX - Cannot access FTP sites from the inside of my network.
Dear all,
I am having a problem with users being unable to access ftp sites on the internet. The users are on the inside interface. I can access FTP site using devices in my DMZ. Here is a copy of my config. Do you see what is wrong?
Thanks,
D
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password *******
passwd ********
hostname Pix
domain-name ******
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_out permit tcp any host x.x.x.58 eq smtp
access-list acl_out permit tcp any host x.x.x.58 eq www
access-list acl_out permit tcp any host x.x.x.58 eq 3389
access-list acl_out permit tcp any host x.x.x.59 eq www
access-list acl_out permit tcp any host x.x.x.59 eq https
access-list acl_out permit tcp any host x.x.x.58 eq pop3
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host x.x.x.60 eq ftp
access-list acl_out permit ip 192.168.1.0 255.255.255.0 172.35.3.0 255.255.255.0
access-list acl_out permit ip 172.168.115.0 255.255.255.0 172.35.3.0 255.255.255.0
access-list acl_dmz permit ip host 172.168.115.2 host 192.168.1.2
access-list acl_dmz permit ip host 172.168.115.3 any
access-list acl_dmz permit icmp any any
access-list acl_dmz permit ip host 172.168.115.5 host 192.168.1.4
access-list vpn permit ip 192.168.1.0 255.255.255.0 172.35.3.0 255.255.255.0
access-list vpn permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging on
logging trap warnings
logging host inside 192.168.1.253
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside x.x.x.62 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
ip address dmz 172.168.115.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool dealer 172.35.3.20-172.35.3.200
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpn
nat (inside) 1 192.168.1.5 255.255.255.255 0 0
nat (inside) 1 192.168.1.52 255.255.255.255 0 0
nat (inside) 1 192.168.1.190 255.255.255.255 0 0
nat (inside) 1 192.168.1.250 255.255.255.255 0 0
nat (inside) 1 192.168.1.251 255.255.255.255 0 0
nat (inside) 1 192.168.1.253 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.x.x.60 ftp 192.168.1.253 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.58 www 172.168.115.3 www netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.58 3389 172.168.115.3 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.58 pop3 172.168.115.3 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.58 smtp 172.168.115.3 smtp netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
static (dmz,outside) x.x.x.59 172.168.115.2 netmask 255.255.255.255 0 0
static (dmz,outside) x.x.x.58 172.168.115.3 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_dmz in interface dmz
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 x.x.x.57 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set vpntunnel esp-3des esp-md5-hmac
crypto dynamic-map cisco 4 set transform-set vpntunnel
crypto map remotevpn 20 ipsec-isakmp dynamic cisco
crypto map remotevpn interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
vpngroup midamericavpn address-pool dealer
vpngroup midamericavpn dns-server 192.168.1.1
vpngroup midamericavpn default-domain midamerica.local
vpngroup midamericavpn split-tunnel vpn
vpngroup midamericavpn idle-time 1800
vpngroup midamericavpn password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
vpdn group clientaccess accept dialin pptp
vpdn group clientaccess ppp authentication mschap
vpdn group clientaccess ppp encryption mppe auto
vpdn group clientaccess client configuration address local dealer
vpdn group clientaccess pptp echo 60
vpdn group clientaccess client authentication local
vpdn username admin password *********
vpdn username midjack password *********
vpdn username midwes password *********
vpdn username midtrent password *********
vpdn enable outside
terminal width 80
I am having a problem with users being unable to access ftp sites on the internet. The users are on the inside interface. I can access FTP site using devices in my DMZ. Here is a copy of my config. Do you see what is wrong?
Thanks,
D
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password *******
passwd ********
hostname Pix
domain-name ******
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_out permit tcp any host x.x.x.58 eq smtp
access-list acl_out permit tcp any host x.x.x.58 eq www
access-list acl_out permit tcp any host x.x.x.58 eq 3389
access-list acl_out permit tcp any host x.x.x.59 eq www
access-list acl_out permit tcp any host x.x.x.59 eq https
access-list acl_out permit tcp any host x.x.x.58 eq pop3
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host x.x.x.60 eq ftp
access-list acl_out permit ip 192.168.1.0 255.255.255.0 172.35.3.0 255.255.255.0
access-list acl_out permit ip 172.168.115.0 255.255.255.0 172.35.3.0 255.255.255.0
access-list acl_dmz permit ip host 172.168.115.2 host 192.168.1.2
access-list acl_dmz permit ip host 172.168.115.3 any
access-list acl_dmz permit icmp any any
access-list acl_dmz permit ip host 172.168.115.5 host 192.168.1.4
access-list vpn permit ip 192.168.1.0 255.255.255.0 172.35.3.0 255.255.255.0
access-list vpn permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging on
logging trap warnings
logging host inside 192.168.1.253
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside x.x.x.62 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
ip address dmz 172.168.115.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool dealer 172.35.3.20-172.35.3.200
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpn
nat (inside) 1 192.168.1.5 255.255.255.255 0 0
nat (inside) 1 192.168.1.52 255.255.255.255 0 0
nat (inside) 1 192.168.1.190 255.255.255.255 0 0
nat (inside) 1 192.168.1.250 255.255.255.255 0 0
nat (inside) 1 192.168.1.251 255.255.255.255 0 0
nat (inside) 1 192.168.1.253 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.x.x.60 ftp 192.168.1.253 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.58 www 172.168.115.3 www netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.58 3389 172.168.115.3 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.58 pop3 172.168.115.3 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.58 smtp 172.168.115.3 smtp netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
static (dmz,outside) x.x.x.59 172.168.115.2 netmask 255.255.255.255 0 0
static (dmz,outside) x.x.x.58 172.168.115.3 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_dmz in interface dmz
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 x.x.x.57 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set vpntunnel esp-3des esp-md5-hmac
crypto dynamic-map cisco 4 set transform-set vpntunnel
crypto map remotevpn 20 ipsec-isakmp dynamic cisco
crypto map remotevpn interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
vpngroup midamericavpn address-pool dealer
vpngroup midamericavpn dns-server 192.168.1.1
vpngroup midamericavpn default-domain midamerica.local
vpngroup midamericavpn split-tunnel vpn
vpngroup midamericavpn idle-time 1800
vpngroup midamericavpn password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
vpdn group clientaccess accept dialin pptp
vpdn group clientaccess ppp authentication mschap
vpdn group clientaccess ppp encryption mppe auto
vpdn group clientaccess client configuration address local dealer
vpdn group clientaccess pptp echo 60
vpdn group clientaccess client authentication local
vpdn username admin password *********
vpdn username midjack password *********
vpdn username midwes password *********
vpdn username midtrent password *********
vpdn enable outside
terminal width 80
devinnull
Any chance the "fixup protocol ftp 21" was added recently? If so, try "clear xlate" and see if they start working.
ASKER
I wish it was that easy. The fixup has been in there since day 1. I find it really puzzling that the DMZ devices can get through, but not the inside devices.
Well you have no outbound ACL so there should be no restriction on outbound traffic and I see fixup is enabled for FTP. At first glance I see no configuration issue here.
I have seen an issue with FTP with some PIX implementations where when using PAT clients could not connect using active ftp while passive ftp worked. This was a PIX software bug and the resolution to this was to update to 6.3(5).
You can test if this is the case by using IE or some other ftp client and switching between active and passive ftp modes.
I have seen an issue with FTP with some PIX implementations where when using PAT clients could not connect using active ftp while passive ftp worked. This was a PIX software bug and the resolution to this was to update to 6.3(5).
You can test if this is the case by using IE or some other ftp client and switching between active and passive ftp modes.
static (inside,outside) x.x.x.60 192.168.1.253 netmask 255.255.255.255 0 0
try this
do not spciify the ports
try this
do not spciify the ports
ASKER
I tried both solutions with no luck. I have not upgraded the software to 6.3(5) yet. Perhaps I will try that this evening.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.