Solved

Allow FTP traffic through PIX to internal FTP server

Posted on 2009-04-05
10
439 Views
Last Modified: 2013-11-29
I am having trouble getting FTP to work through my PIX fierwall. I used to have it working, but during an effort to get a client VPN setup we made some changes to the firewall. We ended up setting up the VPN on a different PIX and now I am left with my FTP site not working. The FTP site works fine internaly so I know it is working. Please Help!!!
Here is my current config on my PIX:
----------------------------
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
nameif ethernet3 dmz2 security15
nameif ethernet4 dmz3 security20
nameif ethernet5 dmz4 security25
enable password XXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXXX encrypted
hostname PIXFW01
domain-name ad.XxX.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol h323 ras 1718-1719
names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 64.115.29.7 eq ftp
access-list outside permit tcp any any eq 1723
access-list nonat permit ip 10.50.0.0 255.255.0.0 10.51.1.0 255.255.255.0
access-list inbound permit tcp any any eq ftp
pager lines 24
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu dmz3 1500
mtu dmz4 1500
ip address outside 64.115.29.8 255.255.255.248
ip address inside 10.50.254.250 255.255.0.0
ip address dmz1 127.0.0.1 255.255.255.255
ip address dmz2 127.0.0.1 255.255.255.255
ip address dmz3 127.0.0.1 255.255.255.255
ip address dmz4 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz1 0.0.0.0
failover ip address dmz2 0.0.0.0
failover ip address dmz3 0.0.0.0
failover ip address dmz4 0.0.0.0
pdm logging informational 100
no pdm history enable
arp timeout 14400
global (outside) 1 64.115.29.6 netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 64.115.29.7 ftp 10.50.1.227 ftp netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 64.115.29.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.50.1.227 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
isakmp enable outside
isakmp key ******** address 208.42.8.93 netmask 255.255.255.255
isakmp key ******** address 66.95.109.147 netmask 255.255.255.255
isakmp identity address
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
vpngroup ciscotac idle-time 1800
vpngroup XxXVPN idle-time 1800
telnet 10.51.1.0 255.255.255.0 outside
telnet 10.50.0.0 255.255.0.0 inside
telnet 10.50.1.203 255.255.255.255 inside
telnet 10.50.1.203 255.255.255.255 dmz1
telnet 10.50.1.203 255.255.255.255 dmz2
telnet 10.50.1.203 255.255.255.255 dmz3
telnet 10.50.1.203 255.255.255.255 dmz4
telnet timeout 5
ssh timeout 30
terminal width 80
-----------------------------------------
0
Comment
Question by:PCWimp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
10 Comments
 
LVL 23

Expert Comment

by:debuggerau
ID: 24074352
I see no 'ftp mode passive', but that may not have any effect.

This one is interesting.
static (inside,outside) tcp 64.115.29.7 ftp 10.50.1.227 ftp netmask 255.255.255.255 0 0

So your mapping an outside ftp server internally, can you access it from this 10.50.1.227 address?

Is the FTP server the same address? (64.115.29.7)

And how are you accessing it internally? (ip address)..
0
 

Author Comment

by:PCWimp
ID: 24074362
This one is interesting.
static (inside,outside) tcp 64.115.29.7 ftp 10.50.1.227 ftp netmask 255.255.255.255 0 0
So your mapping an outside ftp server internally, can you access it from this 10.50.1.227 address?
[Yes]

Is the FTP server the same address? (64.115.29.7)
[Yes]

And how are you accessing it internally? (ip address)..
[I am able to access it by server name and IP address]

Thanks...
0
 

Author Comment

by:PCWimp
ID: 24074363
Upgraded account and incressed the points on this question!
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 23

Expert Comment

by:debuggerau
ID: 24074403
What else could have happened to the 61.115.29.7 public IP? Is it the one used for VPN access by chance?

0
 

Author Comment

by:PCWimp
ID: 24074548
I tried to use that one for VPN but removed the commands I entered for it. I ended up setting up the VPN on a different PIX in a different site.
0
 
LVL 23

Expert Comment

by:debuggerau
ID: 24074574
you may need to double check the other PIX for issues with this IP.

Have you turn the other off to eliminate it for testing?

0
 

Author Comment

by:PCWimp
ID: 24074950
The other pix is in a different site. Different state... Totaly different internet connection, provider and ip range. Even the internal ip addresses are different.
0
 
LVL 5

Accepted Solution

by:
andrewis earned 500 total points
ID: 24077235
Your access-group command seems to be missing. If you have no ACE allowing inbound traffic from the outside it will be dropped by default as this would be passing from a lower to higher security level.

access-group 100 in interface outside
0
 
LVL 5

Expert Comment

by:andrewis
ID: 24082104
I meant from higher to lower security level.
0
 
LVL 5

Expert Comment

by:andrewis
ID: 24082107
sorry pls delete that my post...
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question