Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can't access an FTP Site from the inside

Status
Not open for further replies.
stevenriz

stevenriz

IS-IT--Management
Joined
May 21, 2001
Messages
1,069
I know this may be a Solaris issue but I am leaning towards the PIX on this particular issue. Maybe you can help. Let me try and explain this clearly.

We have two subnets within the PIX, 192.168.1.0 and 192.168.2.0. Gateway to the outside is ultimately the PIX at 192.168.1.10. 192.168.2.10 for the .2 net. 192.168.1.10 is on the ISP router.

ip address outside 'publicip' 255.255.255.240
ip address inside 192.168.2.10 255.255.255.0
ip address vpndmz 172.16.2.1 255.255.255.0
ip address corp 192.168.1.10 255.255.255.0

We have two servers both on the .2 subnet. Both of which MIND YOU "CAN" ping this FTP site, only one of the machine "DOES NOT" receive a login prompt to the FTP site.

One Solaris machine on the .2 net "CAN" access this particular FTP site on the net. It's netstat -nr shows like so...
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
192.168.2.0 morpheus U 1 46 hme0
224.0.0.0 morpheus U 1 0 hme0
default 192.168.2.10 UG 1 103
localhost localhost UH 8 48133 lo0
#

Now this second machine which is on that same .2 net is a Solaris box as well. The issue is it "CANNOT" access this particular FTP site. The FTP login prompt is not returned. Here is the netstat -nr on that machine...
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
192.168.2.0 192.168.2.162 U 1 208 hme0
224.0.0.0 192.168.2.162 U 1 0 hme0
default 192.168.2.10 UG 1 13
127.0.0.1 127.0.0.1 UH 4 252948 lo0
#

The difference with the later server is that I publicize it on the web so it has a public IP address attached to it using an access list and static routes. I also gave it the "alias" command thinking that would have fixed it. It didn't.

Do you think my problem is with the PIX? I am looking for clues but cannot find any. The Solaris versions are different. But I have some Boxes on the older version that "CAN" access this site. I am still tinkering with this but I thought I would ask so not too much more time is wasted working on this... Thanks all!!
Steve
 
Sort by date Sort by votes
I just thought of something else.

I believe the company hosting this FTP site uses IP address security so I gave them the NAT IP Address. Now if I am publicizing some servers, what does the IP address appear to be from those servers? I was thinking it will still appear to be the NAT address because the connection is initiated from the inside out, not from the outside in. Am I wrong?

Thanks!
Steve
 
Upvote 0 Downvote
Your external address will be the one seen from the outside.

Your one box can get out but the other can't. One has a static translation rule and the other doesn't. Did I follow that correctly?

If so... Then it sounds like you do not have a global address for internal users to go out on. That and a nat statement for them to be translated etc.

Also... If you are using say a 10 user lic on the pix and you have maxed out you won't get out with #11. Do a show ver on the pix and look for the # of licenses you have to confirm.
 
Upvote 0 Downvote
Well no we have a 515 UR PIX so it isn't a license issue. We do have a global NAT statement...
global (outside) 1 pub.ip.add.110 netmask 255.255.255.240

but the private IP addresses that I made public using a static route and access lists is what I was thinking would make this happen. You see the FTP site only accepts connections using IP addresses in an access list. So I gave this FTP site the IP address of pub.ip.add.110. Not the public IP address of the system I am trying to access it from... pub.ip.add.107 ... Am I clear enough? Maybe we are even in agreement. yes?
 
Upvote 0 Downvote
If their access list is looking for pub.ip.add.110 and you are coming from pub.ip.add.107 then yes you would get blocked.

So in a nutshell if you cannot get the logon prompt from the second pub.ip.add.107 you must simply have them add that to their access list to allow you in. Or you could have them open a range within your public ip space.

 
Upvote 0 Downvote
That is what I was thinking as well. I am waiting for them to open up 107 to see if that works. I'll let you know, thanks for the second set of eyes!!
Steve
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Miluis
  • Locked
  • Question Question
How necessary is an antivirus?
Replies
3
Views
637
Rick998
Rick998
Sameer258
  • Locked
  • Question Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Tommy_T
  • Locked
  • Question Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
989
nnaarrnn
nnaarrnn
Sparrow4
  • Locked
  • Question Question
AnyConnect + Azure + SAML
Replies
0
Views
802
Sparrow4
Sparrow4
Shmid
  • Locked
  • Question Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top