Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Allow FTP traffic through PIX to internal FTP server

Posted on 2009-04-05
10
Medium Priority
?
444 Views
Last Modified: 2013-11-29
I am having trouble getting FTP to work through my PIX fierwall. I used to have it working, but during an effort to get a client VPN setup we made some changes to the firewall. We ended up setting up the VPN on a different PIX and now I am left with my FTP site not working. The FTP site works fine internaly so I know it is working. Please Help!!!
Here is my current config on my PIX:
----------------------------
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz1 security50
nameif ethernet3 dmz2 security15
nameif ethernet4 dmz3 security20
nameif ethernet5 dmz4 security25
enable password XXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXXX encrypted
hostname PIXFW01
domain-name ad.XxX.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol h323 ras 1718-1719
names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host 64.115.29.7 eq ftp
access-list outside permit tcp any any eq 1723
access-list nonat permit ip 10.50.0.0 255.255.0.0 10.51.1.0 255.255.255.0
access-list inbound permit tcp any any eq ftp
pager lines 24
logging buffered debugging
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu dmz3 1500
mtu dmz4 1500
ip address outside 64.115.29.8 255.255.255.248
ip address inside 10.50.254.250 255.255.0.0
ip address dmz1 127.0.0.1 255.255.255.255
ip address dmz2 127.0.0.1 255.255.255.255
ip address dmz3 127.0.0.1 255.255.255.255
ip address dmz4 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address dmz1 0.0.0.0
failover ip address dmz2 0.0.0.0
failover ip address dmz3 0.0.0.0
failover ip address dmz4 0.0.0.0
pdm logging informational 100
no pdm history enable
arp timeout 14400
global (outside) 1 64.115.29.6 netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 64.115.29.7 ftp 10.50.1.227 ftp netmask 255.255.255.255 0 0
route outside 0.0.0.0 0.0.0.0 64.115.29.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.50.1.227 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
isakmp enable outside
isakmp key ******** address 208.42.8.93 netmask 255.255.255.255
isakmp key ******** address 66.95.109.147 netmask 255.255.255.255
isakmp identity address
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
vpngroup ciscotac idle-time 1800
vpngroup XxXVPN idle-time 1800
telnet 10.51.1.0 255.255.255.0 outside
telnet 10.50.0.0 255.255.0.0 inside
telnet 10.50.1.203 255.255.255.255 inside
telnet 10.50.1.203 255.255.255.255 dmz1
telnet 10.50.1.203 255.255.255.255 dmz2
telnet 10.50.1.203 255.255.255.255 dmz3
telnet 10.50.1.203 255.255.255.255 dmz4
telnet timeout 5
ssh timeout 30
terminal width 80
-----------------------------------------
0
Comment
Question by:PCWimp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
10 Comments
 
LVL 23

Expert Comment

by:debuggerau
ID: 24074352
I see no 'ftp mode passive', but that may not have any effect.

This one is interesting.
static (inside,outside) tcp 64.115.29.7 ftp 10.50.1.227 ftp netmask 255.255.255.255 0 0

So your mapping an outside ftp server internally, can you access it from this 10.50.1.227 address?

Is the FTP server the same address? (64.115.29.7)

And how are you accessing it internally? (ip address)..
0
 

Author Comment

by:PCWimp
ID: 24074362
This one is interesting.
static (inside,outside) tcp 64.115.29.7 ftp 10.50.1.227 ftp netmask 255.255.255.255 0 0
So your mapping an outside ftp server internally, can you access it from this 10.50.1.227 address?
[Yes]

Is the FTP server the same address? (64.115.29.7)
[Yes]

And how are you accessing it internally? (ip address)..
[I am able to access it by server name and IP address]

Thanks...
0
 

Author Comment

by:PCWimp
ID: 24074363
Upgraded account and incressed the points on this question!
0
Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
LVL 23

Expert Comment

by:debuggerau
ID: 24074403
What else could have happened to the 61.115.29.7 public IP? Is it the one used for VPN access by chance?

0
 

Author Comment

by:PCWimp
ID: 24074548
I tried to use that one for VPN but removed the commands I entered for it. I ended up setting up the VPN on a different PIX in a different site.
0
 
LVL 23

Expert Comment

by:debuggerau
ID: 24074574
you may need to double check the other PIX for issues with this IP.

Have you turn the other off to eliminate it for testing?

0
 

Author Comment

by:PCWimp
ID: 24074950
The other pix is in a different site. Different state... Totaly different internet connection, provider and ip range. Even the internal ip addresses are different.
0
 
LVL 5

Accepted Solution

by:
andrewis earned 2000 total points
ID: 24077235
Your access-group command seems to be missing. If you have no ACE allowing inbound traffic from the outside it will be dropped by default as this would be passing from a lower to higher security level.

access-group 100 in interface outside
0
 
LVL 5

Expert Comment

by:andrewis
ID: 24082104
I meant from higher to lower security level.
0
 
LVL 5

Expert Comment

by:andrewis
ID: 24082107
sorry pls delete that my post...
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Considering cloud tradeoffs and determining the right mix for your organization.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question