Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Cannot FTP to FTP Server in DMZ
- Thread starter wstran
- Start date
- Thread starter
- #3
Thanks. Here is my PIX config:
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 e2 security90
nameif ethernet3 dmz security50
nameif ethernet4 e4 security75
nameif ethernet5 e5unused security20
enable password juDTf/dYh8Rt6ihg encrypted
passwd juDTf/dYh8Rt6ihg encrypted
hostname PIX
domain-name test.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside_in permit tcp any host 192.168.2.3 eq ftp
access-list dmz_in permit tcp host 192.168.2.3 any eq ftp
pager lines 24
mtu outside 1500
mtu inside 1500
mtu e2 1500
mtu dmz 1500
mtu e4 1500
mtu e5unused 1500
ip address outside 10.10.10.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip address e2 192.168.3.1 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
ip address e4 192.168.4.1 255.255.255.0
ip address e5unused 127.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 192.168.2.0 255.255.255.0 0 0
static (dmz,outside) 10.10.10.4 192.168.2.3 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
console timeout 0
terminal width 80
: end
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 e2 security90
nameif ethernet3 dmz security50
nameif ethernet4 e4 security75
nameif ethernet5 e5unused security20
enable password juDTf/dYh8Rt6ihg encrypted
passwd juDTf/dYh8Rt6ihg encrypted
hostname PIX
domain-name test.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside_in permit tcp any host 192.168.2.3 eq ftp
access-list dmz_in permit tcp host 192.168.2.3 any eq ftp
pager lines 24
mtu outside 1500
mtu inside 1500
mtu e2 1500
mtu dmz 1500
mtu e4 1500
mtu e5unused 1500
ip address outside 10.10.10.2 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip address e2 192.168.3.1 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
ip address e4 192.168.4.1 255.255.255.0
ip address e5unused 127.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 192.168.2.0 255.255.255.0 0 0
static (dmz,outside) 10.10.10.4 192.168.2.3 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
console timeout 0
terminal width 80
: end
NetworkGhost
IS-IT--Management
What IP Addess are you using hwen trying to FTP to the DMZ? The DMZ IP of the server or the external static?
- Thread starter
- #5
NetworkGhost
IS-IT--Management
Try this:
static (inside ,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (inside ,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
- Thread starter
- #7
NetworkGhost
IS-IT--Management
This:
static (inside ,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
Should have worked for access the DMZ from the inside. There are probably
You say it worked from the outside?
You have this
static (dmz,outside) 10.10.10.4 192.168.2.3 netmask 255.255.255.255 0 0
and
access-list outside_in permit tcp any host 192.168.2.3 eq ftp
That doesnt look like FTP would work from the outside. Have you changed your config?
and
static (inside ,DMZ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
Should have worked for access the DMZ from the inside. There are probably
You say it worked from the outside?
You have this
static (dmz,outside) 10.10.10.4 192.168.2.3 netmask 255.255.255.255 0 0
and
access-list outside_in permit tcp any host 192.168.2.3 eq ftp
That doesnt look like FTP would work from the outside. Have you changed your config?
and
- Thread starter
- #11
Hello,
My FTP server was NAT'ed to 10.10.10.4 to outside of PIX and then NAT'ed again to my router to static IP address. That's why FTP can be accessed from Internet.
BTW, I tried all of your recommendation but it's still not working. Please advise if you have any other options, thanks!
My FTP server was NAT'ed to 10.10.10.4 to outside of PIX and then NAT'ed again to my router to static IP address. That's why FTP can be accessed from Internet.
BTW, I tried all of your recommendation but it's still not working. Please advise if you have any other options, thanks!
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question
- Locked
- Question