troubleshooting Question

Cisco PIX - Cannot access FTP sites from the inside of my network.

Avatar of daniml
daniml asked on
Hardware FirewallsCisco
6 Comments1 Solution731 ViewsLast Modified:
Dear all,

I am having a problem with users being unable to access ftp sites on the internet.  The users are on the inside interface.  I can access FTP site using devices in my DMZ.  Here is a copy of my config.  Do you see what is wrong?

Thanks,

D

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password *******
passwd ********
hostname Pix
domain-name ******
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list acl_out permit tcp any host x.x.x.58 eq smtp
access-list acl_out permit tcp any host x.x.x.58 eq www
access-list acl_out permit tcp any host x.x.x.58 eq 3389
access-list acl_out permit tcp any host x.x.x.59 eq www
access-list acl_out permit tcp any host x.x.x.59 eq https
access-list acl_out permit tcp any host x.x.x.58 eq pop3
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host x.x.x.60 eq ftp
access-list acl_out permit ip 192.168.1.0 255.255.255.0 172.35.3.0 255.255.255.0
access-list acl_out permit ip 172.168.115.0 255.255.255.0 172.35.3.0 255.255.255.0
access-list acl_dmz permit ip host 172.168.115.2 host 192.168.1.2
access-list acl_dmz permit ip host 172.168.115.3 any
access-list acl_dmz permit icmp any any
access-list acl_dmz permit ip host 172.168.115.5 host 192.168.1.4
access-list vpn permit ip 192.168.1.0 255.255.255.0 172.35.3.0 255.255.255.0
access-list vpn permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging on
logging trap warnings
logging host inside 192.168.1.253
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside x.x.x.62 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
ip address dmz 172.168.115.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool dealer 172.35.3.20-172.35.3.200
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpn
nat (inside) 1 192.168.1.5 255.255.255.255 0 0
nat (inside) 1 192.168.1.52 255.255.255.255 0 0
nat (inside) 1 192.168.1.190 255.255.255.255 0 0
nat (inside) 1 192.168.1.250 255.255.255.255 0 0
nat (inside) 1 192.168.1.251 255.255.255.255 0 0
nat (inside) 1 192.168.1.253 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp x.x.x.60 ftp 192.168.1.253 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.58 www 172.168.115.3 www netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.58 3389 172.168.115.3 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.58 pop3 172.168.115.3 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.58 smtp 172.168.115.3 smtp netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
static (dmz,outside) x.x.x.59 172.168.115.2 netmask 255.255.255.255 0 0
static (dmz,outside) x.x.x.58 172.168.115.3 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
access-group acl_dmz in interface dmz
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 x.x.x.57 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set vpntunnel esp-3des esp-md5-hmac
crypto dynamic-map cisco 4 set transform-set vpntunnel
crypto map remotevpn 20 ipsec-isakmp dynamic cisco
crypto map remotevpn interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
vpngroup midamericavpn address-pool dealer
vpngroup midamericavpn dns-server 192.168.1.1
vpngroup midamericavpn default-domain midamerica.local
vpngroup midamericavpn split-tunnel vpn
vpngroup midamericavpn idle-time 1800
vpngroup midamericavpn password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
vpdn group clientaccess accept dialin pptp
vpdn group clientaccess ppp authentication mschap
vpdn group clientaccess ppp encryption mppe auto
vpdn group clientaccess client configuration address local dealer
vpdn group clientaccess pptp echo 60
vpdn group clientaccess client authentication local
vpdn username admin password *********
vpdn username midjack password *********
vpdn username midwes password *********
vpdn username midtrent password *********
vpdn enable outside
terminal width 80
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 6 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 6 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros