sedwho
asked on
How do I config a PIX515e to open a port to a specific IP
I have a user on my network that needs to access an encrypted FTP site and I think that my PIX is blocking the necessary ports as they are unable to connect. I was given the following instruction:
Check with your IT dept. that a firewall isn’t blocking FTP data. The following ports must be allowed to connect to IP address 66.150.206.23: port 990 (the Secure FTP control port TLS/SSL) and ports 2000 through 2010 (for passive data transfers).
So...what I need to know is how to configure an ACL to allow 66.150.206.23 to make connections on ports 990, and 2000-2010. Sh run from pix follows:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password YpdVHgRW7WKs2Ahu encrypted
passwd YpdVHgRW7WKs2Ahu encrypted
hostname firewall
domain-name denver-redcross.org
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network convio
network-object 66.45.103.0 255.255.255.128
network-object 209.163.168.192 255.255.255.192
object-group network messagelabs
network-object 216.82.240.0 255.255.240.0
network-object 85.158.136.0 255.255.248.0
network-object 117.120.16.0 255.255.248.0
network-object 193.109.254.0 255.255.254.0
network-object 194.106.220.0 255.255.254.0
network-object 195.245.230.0 255.255.254.0
network-object 62.231.131.0 255.255.255.0
network-object 64.124.170.128 255.255.255.240
access-list 101 permit tcp any host 64.78.184.83 eq www
access-list 101 permit tcp any host 64.78.184.83 eq pop3
access-list 101 permit esp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq 4500
access-list 101 permit udp any eq 4500 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any host 64.78.184.83 eq https
access-list 101 permit tcp any host 64.78.184.85 eq www
access-list 101 permit tcp any host 64.78.184.85 eq citrix-ica
access-list 101 permit udp host 64.78.184.81 host 64.78.184.86 eq tftp
access-list 101 permit tcp any host 64.78.184.84 eq www
access-list 101 permit tcp any host 64.78.184.84 eq citrix-ica
access-list 101 permit tcp object-group messagelabs host 64.78.184.83 eq smtp
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 102 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 102 permit ip 192.168.128.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside permit tcp host 192.168.1.23 any eq smtp
access-list inside permit tcp host 192.168.1.9 any eq smtp
access-list inside deny tcp any any eq smtp
access-list inside deny tcp any any eq 445
access-list inside permit ip any any
pager lines 24
logging on
logging monitor debugging
logging buffered warnings
logging trap warnings
logging host inside 192.168.4.2
mtu outside 1500
mtu inside 1500
ip address outside 64.78.184.82 255.255.255.240
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool remoteip 192.168.1.235-192.168.1.25
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 64.78.184.83
nat (inside) 0 access-list 102
nat (inside) 2 192.168.1.9 255.255.255.255 0 0
nat (inside) 2 192.168.1.23 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 64.78.184.83 smtp 192.168.1.9 smtp netmask 255.255.
55.255 0 0
static (inside,outside) tcp 64.78.184.83 www 192.168.1.23 www netmask 255.255.2
5.255 0 0
static (inside,outside) tcp 64.78.184.83 https 192.168.1.23 https netmask 255.2
5.255.255 0 0
static (inside,outside) tcp 64.78.184.85 www 192.168.1.8 www netmask 255.255.25
.255 0 0
static (inside,outside) tcp 64.78.184.85 citrix-ica 192.168.1.8 citrix-ica netm
sk 255.255.255.255 0 0
access-group 101 in interface outside
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 64.78.184.81 1
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.4.0 255.255.255.0 192.168.1.1 1
route inside 192.168.128.0 255.255.128.0 192.168.1.45 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.255 inside
snmp-server host inside 192.168.4.2
no snmp-server location
no snmp-server contact
snmp-server community msd2000rtr
snmp-server enable traps
tftp-server inside 192.168.4.2 firewall
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set remotset esp-des esp-md5-hmac
crypto dynamic-map remotdyn 20 set transform-set remotset
crypto map remotset 20 ipsec-isakmp dynamic remotdyn
crypto map remotset interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup arcvpn address-pool remoteip
vpngroup arcvpn dns-server 192.168.128.4
vpngroup arcvpn default-domain denver-redcross.org
vpngroup arcvpn split-tunnel 102
vpngroup arcvpn idle-time 1800
vpngroup arcvpn password ********
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh 216.142.118.0 255.255.255.224 outside
ssh timeout 5
console timeout 0
vpdn group VPN accept dialin pptp
vpdn group VPN ppp authentication chap
vpdn group VPN ppp authentication mschap
vpdn group VPN ppp encryption mppe 40
vpdn group VPN client configuration address local remoteip
vpdn group VPN client configuration dns 192.168.128.4
vpdn group VPN client configuration wins 192.168.128.4
vpdn group VPN pptp echo 60
vpdn group VPN client authentication local
vpdn username arcmsvpn password *********
vpdn enable outside
terminal width 80
Cryptochecksum:49ab99c3bc1
: end
firewall#
Check with your IT dept. that a firewall isn’t blocking FTP data. The following ports must be allowed to connect to IP address 66.150.206.23: port 990 (the Secure FTP control port TLS/SSL) and ports 2000 through 2010 (for passive data transfers).
So...what I need to know is how to configure an ACL to allow 66.150.206.23 to make connections on ports 990, and 2000-2010. Sh run from pix follows:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password YpdVHgRW7WKs2Ahu encrypted
passwd YpdVHgRW7WKs2Ahu encrypted
hostname firewall
domain-name denver-redcross.org
no fixup protocol dns
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group network convio
network-object 66.45.103.0 255.255.255.128
network-object 209.163.168.192 255.255.255.192
object-group network messagelabs
network-object 216.82.240.0 255.255.240.0
network-object 85.158.136.0 255.255.248.0
network-object 117.120.16.0 255.255.248.0
network-object 193.109.254.0 255.255.254.0
network-object 194.106.220.0 255.255.254.0
network-object 195.245.230.0 255.255.254.0
network-object 62.231.131.0 255.255.255.0
network-object 64.124.170.128 255.255.255.240
access-list 101 permit tcp any host 64.78.184.83 eq www
access-list 101 permit tcp any host 64.78.184.83 eq pop3
access-list 101 permit esp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq 4500
access-list 101 permit udp any eq 4500 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any host 64.78.184.83 eq https
access-list 101 permit tcp any host 64.78.184.85 eq www
access-list 101 permit tcp any host 64.78.184.85 eq citrix-ica
access-list 101 permit udp host 64.78.184.81 host 64.78.184.86 eq tftp
access-list 101 permit tcp any host 64.78.184.84 eq www
access-list 101 permit tcp any host 64.78.184.84 eq citrix-ica
access-list 101 permit tcp object-group messagelabs host 64.78.184.83 eq smtp
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 102 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 102 permit ip 192.168.128.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside permit tcp host 192.168.1.23 any eq smtp
access-list inside permit tcp host 192.168.1.9 any eq smtp
access-list inside deny tcp any any eq smtp
access-list inside deny tcp any any eq 445
access-list inside permit ip any any
pager lines 24
logging on
logging monitor debugging
logging buffered warnings
logging trap warnings
logging host inside 192.168.4.2
mtu outside 1500
mtu inside 1500
ip address outside 64.78.184.82 255.255.255.240
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool remoteip 192.168.1.235-192.168.1.25
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 64.78.184.83
nat (inside) 0 access-list 102
nat (inside) 2 192.168.1.9 255.255.255.255 0 0
nat (inside) 2 192.168.1.23 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 64.78.184.83 smtp 192.168.1.9 smtp netmask 255.255.
55.255 0 0
static (inside,outside) tcp 64.78.184.83 www 192.168.1.23 www netmask 255.255.2
5.255 0 0
static (inside,outside) tcp 64.78.184.83 https 192.168.1.23 https netmask 255.2
5.255.255 0 0
static (inside,outside) tcp 64.78.184.85 www 192.168.1.8 www netmask 255.255.25
.255 0 0
static (inside,outside) tcp 64.78.184.85 citrix-ica 192.168.1.8 citrix-ica netm
sk 255.255.255.255 0 0
access-group 101 in interface outside
access-group inside in interface inside
route outside 0.0.0.0 0.0.0.0 64.78.184.81 1
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.4.0 255.255.255.0 192.168.1.1 1
route inside 192.168.128.0 255.255.128.0 192.168.1.45 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.255 inside
snmp-server host inside 192.168.4.2
no snmp-server location
no snmp-server contact
snmp-server community msd2000rtr
snmp-server enable traps
tftp-server inside 192.168.4.2 firewall
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set remotset esp-des esp-md5-hmac
crypto dynamic-map remotdyn 20 set transform-set remotset
crypto map remotset 20 ipsec-isakmp dynamic remotdyn
crypto map remotset interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup arcvpn address-pool remoteip
vpngroup arcvpn dns-server 192.168.128.4
vpngroup arcvpn default-domain denver-redcross.org
vpngroup arcvpn split-tunnel 102
vpngroup arcvpn idle-time 1800
vpngroup arcvpn password ********
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh 216.142.118.0 255.255.255.224 outside
ssh timeout 5
console timeout 0
vpdn group VPN accept dialin pptp
vpdn group VPN ppp authentication chap
vpdn group VPN ppp authentication mschap
vpdn group VPN ppp encryption mppe 40
vpdn group VPN client configuration address local remoteip
vpdn group VPN client configuration dns 192.168.128.4
vpdn group VPN client configuration wins 192.168.128.4
vpdn group VPN pptp echo 60
vpdn group VPN client authentication local
vpdn username arcmsvpn password *********
vpdn enable outside
terminal width 80
Cryptochecksum:49ab99c3bc1
: end
firewall#
qbakies
So you are hosting the FTP or are trying to access their FTP?
ASKER
Trying to access their FTP
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thx Dan,
That makse sense and a passive FTP is the solution we ended up going with.
Cheers!
That makse sense and a passive FTP is the solution we ended up going with.
Cheers!