PCWimp
asked on
Allow FTP traffic through PIX to internal FTP server
I am having trouble getting FTP to work through my PIX fierwall. I used to have it working, but during an effort to get a client VPN setup we made some changes to the firewall. We ended up setting up the VPN on a different PIX and now I am left with my FTP site not working. The FTP site works fine internaly so I know it is working. Please Help!!!
Here is my current config on my PIX:
--------------------------
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
nameif ethernet3 dmz2 security15
nameif ethernet4 dmz3 security20
nameif ethernet5 dmz4 security25
enable password XXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXXX encrypted
hostname PIXFW01
domain-name ad.XxX.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol h323 ras 1718-1719
names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 64.115.29.7 eq ftp
access-list outside permit tcp any any eq 1723
access-list nonat permit ip 10.50.0.0 255.255.0.0 10.51.1.0 255.255.255.0
access-list inbound permit tcp any any eq ftp
pager lines 24
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu dmz3 1500
mtu dmz4 1500
ip address outside 64.115.29.8 255.255.255.248
ip address inside 10.50.254.250 255.255.0.0
ip address dmz1 127.0.0.1 255.255.255.255
ip address dmz2 127.0.0.1 255.255.255.255
ip address dmz3 127.0.0.1 255.255.255.255
ip address dmz4 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz1 0.0.0.0
failover ip address dmz2 0.0.0.0
failover ip address dmz3 0.0.0.0
failover ip address dmz4 0.0.0.0
pdm logging informational 100
no pdm history enable
arp timeout 14400
global (outside) 1 64.115.29.6 netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 64.115.29.7 ftp 10.50.1.227 ftp netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 64.115.29.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.50.1.227 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
isakmp enable outside
isakmp key ******** address 208.42.8.93 netmask 255.255.255.255
isakmp key ******** address 66.95.109.147 netmask 255.255.255.255
isakmp identity address
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
vpngroup ciscotac idle-time 1800
vpngroup XxXVPN idle-time 1800
telnet 10.51.1.0 255.255.255.0 outside
telnet 10.50.0.0 255.255.0.0 inside
telnet 10.50.1.203 255.255.255.255 inside
telnet 10.50.1.203 255.255.255.255 dmz1
telnet 10.50.1.203 255.255.255.255 dmz2
telnet 10.50.1.203 255.255.255.255 dmz3
telnet 10.50.1.203 255.255.255.255 dmz4
telnet timeout 5
ssh timeout 30
terminal width 80
--------------------------
Here is my current config on my PIX:
--------------------------
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
nameif ethernet3 dmz2 security15
nameif ethernet4 dmz3 security20
nameif ethernet5 dmz4 security25
enable password XXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXXX encrypted
hostname PIXFW01
domain-name ad.XxX.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol h323 ras 1718-1719
names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 64.115.29.7 eq ftp
access-list outside permit tcp any any eq 1723
access-list nonat permit ip 10.50.0.0 255.255.0.0 10.51.1.0 255.255.255.0
access-list inbound permit tcp any any eq ftp
pager lines 24
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu dmz3 1500
mtu dmz4 1500
ip address outside 64.115.29.8 255.255.255.248
ip address inside 10.50.254.250 255.255.0.0
ip address dmz1 127.0.0.1 255.255.255.255
ip address dmz2 127.0.0.1 255.255.255.255
ip address dmz3 127.0.0.1 255.255.255.255
ip address dmz4 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz1 0.0.0.0
failover ip address dmz2 0.0.0.0
failover ip address dmz3 0.0.0.0
failover ip address dmz4 0.0.0.0
pdm logging informational 100
no pdm history enable
arp timeout 14400
global (outside) 1 64.115.29.6 netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 64.115.29.7 ftp 10.50.1.227 ftp netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 64.115.29.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.50.1.227 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
isakmp enable outside
isakmp key ******** address 208.42.8.93 netmask 255.255.255.255
isakmp key ******** address 66.95.109.147 netmask 255.255.255.255
isakmp identity address
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
vpngroup ciscotac idle-time 1800
vpngroup XxXVPN idle-time 1800
telnet 10.51.1.0 255.255.255.0 outside
telnet 10.50.0.0 255.255.0.0 inside
telnet 10.50.1.203 255.255.255.255 inside
telnet 10.50.1.203 255.255.255.255 dmz1
telnet 10.50.1.203 255.255.255.255 dmz2
telnet 10.50.1.203 255.255.255.255 dmz3
telnet 10.50.1.203 255.255.255.255 dmz4
telnet timeout 5
ssh timeout 30
terminal width 80
--------------------------
ASKER
This one is interesting.
static (inside,outside) tcp 64.115.29.7 ftp 10.50.1.227 ftp netmask 255.255.255.255 0 0
So your mapping an outside ftp server internally, can you access it from this 10.50.1.227 address?
[Yes]
Is the FTP server the same address? (64.115.29.7)
[Yes]
And how are you accessing it internally? (ip address)..
[I am able to access it by server name and IP address]
Thanks...
static (inside,outside) tcp 64.115.29.7 ftp 10.50.1.227 ftp netmask 255.255.255.255 0 0
So your mapping an outside ftp server internally, can you access it from this 10.50.1.227 address?
[Yes]
Is the FTP server the same address? (64.115.29.7)
[Yes]
And how are you accessing it internally? (ip address)..
[I am able to access it by server name and IP address]
Thanks...
ASKER
Upgraded account and incressed the points on this question!
What else could have happened to the 61.115.29.7 public IP? Is it the one used for VPN access by chance?
ASKER
I tried to use that one for VPN but removed the commands I entered for it. I ended up setting up the VPN on a different PIX in a different site.
you may need to double check the other PIX for issues with this IP.
Have you turn the other off to eliminate it for testing?
Have you turn the other off to eliminate it for testing?
ASKER
The other pix is in a different site. Different state... Totaly different internet connection, provider and ip range. Even the internal ip addresses are different.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I meant from higher to lower security level.
sorry pls delete that my post...
This one is interesting.
static (inside,outside) tcp 64.115.29.7 ftp 10.50.1.227 ftp netmask 255.255.255.255 0 0
So your mapping an outside ftp server internally, can you access it from this 10.50.1.227 address?
Is the FTP server the same address? (64.115.29.7)
And how are you accessing it internally? (ip address)..