Solved

Allow FTP traffic through PIX to internal FTP server

Posted on 2009-04-05
10
420 Views
Last Modified: 2013-11-29
I am having trouble getting FTP to work through my PIX fierwall. I used to have it working, but during an effort to get a client VPN setup we made some changes to the firewall. We ended up setting up the VPN on a different PIX and now I am left with my FTP site not working. The FTP site works fine internaly so I know it is working. Please Help!!!
Here is my current config on my PIX:
----------------------------
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
nameif ethernet3 dmz2 security15
nameif ethernet4 dmz3 security20
nameif ethernet5 dmz4 security25
enable password XXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXXX encrypted
hostname PIXFW01
domain-name ad.XxX.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol h323 ras 1718-1719
names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 64.115.29.7 eq ftp
access-list outside permit tcp any any eq 1723
access-list nonat permit ip 10.50.0.0 255.255.0.0 10.51.1.0 255.255.255.0
access-list inbound permit tcp any any eq ftp
pager lines 24
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu dmz3 1500
mtu dmz4 1500
ip address outside 64.115.29.8 255.255.255.248
ip address inside 10.50.254.250 255.255.0.0
ip address dmz1 127.0.0.1 255.255.255.255
ip address dmz2 127.0.0.1 255.255.255.255
ip address dmz3 127.0.0.1 255.255.255.255
ip address dmz4 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz1 0.0.0.0
failover ip address dmz2 0.0.0.0
failover ip address dmz3 0.0.0.0
failover ip address dmz4 0.0.0.0
pdm logging informational 100
no pdm history enable
arp timeout 14400
global (outside) 1 64.115.29.6 netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 64.115.29.7 ftp 10.50.1.227 ftp netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 64.115.29.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.50.1.227 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
isakmp enable outside
isakmp key ******** address 208.42.8.93 netmask 255.255.255.255
isakmp key ******** address 66.95.109.147 netmask 255.255.255.255
isakmp identity address
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
vpngroup ciscotac idle-time 1800
vpngroup XxXVPN idle-time 1800
telnet 10.51.1.0 255.255.255.0 outside
telnet 10.50.0.0 255.255.0.0 inside
telnet 10.50.1.203 255.255.255.255 inside
telnet 10.50.1.203 255.255.255.255 dmz1
telnet 10.50.1.203 255.255.255.255 dmz2
telnet 10.50.1.203 255.255.255.255 dmz3
telnet 10.50.1.203 255.255.255.255 dmz4
telnet timeout 5
ssh timeout 30
terminal width 80
-----------------------------------------
0
Comment
Question by:PCWimp
  • 4
  • 3
  • 3
10 Comments
 
LVL 23

Expert Comment

by:debuggerau
Comment Utility
I see no 'ftp mode passive', but that may not have any effect.

This one is interesting.
static (inside,outside) tcp 64.115.29.7 ftp 10.50.1.227 ftp netmask 255.255.255.255 0 0

So your mapping an outside ftp server internally, can you access it from this 10.50.1.227 address?

Is the FTP server the same address? (64.115.29.7)

And how are you accessing it internally? (ip address)..
0
 

Author Comment

by:PCWimp
Comment Utility
This one is interesting.
static (inside,outside) tcp 64.115.29.7 ftp 10.50.1.227 ftp netmask 255.255.255.255 0 0
So your mapping an outside ftp server internally, can you access it from this 10.50.1.227 address?
[Yes]

Is the FTP server the same address? (64.115.29.7)
[Yes]

And how are you accessing it internally? (ip address)..
[I am able to access it by server name and IP address]

Thanks...
0
 

Author Comment

by:PCWimp
Comment Utility
Upgraded account and incressed the points on this question!
0
 
LVL 23

Expert Comment

by:debuggerau
Comment Utility
What else could have happened to the 61.115.29.7 public IP? Is it the one used for VPN access by chance?

0
 

Author Comment

by:PCWimp
Comment Utility
I tried to use that one for VPN but removed the commands I entered for it. I ended up setting up the VPN on a different PIX in a different site.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 23

Expert Comment

by:debuggerau
Comment Utility
you may need to double check the other PIX for issues with this IP.

Have you turn the other off to eliminate it for testing?

0
 

Author Comment

by:PCWimp
Comment Utility
The other pix is in a different site. Different state... Totaly different internet connection, provider and ip range. Even the internal ip addresses are different.
0
 
LVL 5

Accepted Solution

by:
andrewis earned 500 total points
Comment Utility
Your access-group command seems to be missing. If you have no ACE allowing inbound traffic from the outside it will be dropped by default as this would be passing from a lower to higher security level.

access-group 100 in interface outside
0
 
LVL 5

Expert Comment

by:andrewis
Comment Utility
I meant from higher to lower security level.
0
 
LVL 5

Expert Comment

by:andrewis
Comment Utility
sorry pls delete that my post...
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I know for anybody starting from Beginner to Expert in Networking knows what OSI model. But this tutorial is for freshers or those who are new to networking world. Why I am putting OSI in such simple and compact manner is because it enables you to k…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now