how to add FTP server to DMZ on PIX

[drmohlen]

I am new to PIX, but I would like to add a FTP server to the DMZ on pix515e, can any one tell me the required commands that i need to add to my pix to be able to access the FTP server ( port 21) on DMZ from outside.

My pubilc ip address: 217.36.6.x
my private IP addres: 192.168.10.y

Many Thanks

 

[NetworkGhost]

static (dmz,outside) 217.36.6.x 192.168.10.y netmask 255.255.255.255

access-list acl_outside permit tcp any host 217.36.6.x eq 21
access-group acl_outside in interface outside

 

[drmohlen]

Thank you NetworkGhost for the prompt repspond, I have added your sugested lines to the pix but I am still getting error message trying to access to the ftp server using ftp://217.36.6.x in IE browser of a PC outside our firewall.
I can access the ftp server from inside without any problem. Fixup protocol FTP 21 also enabled. I checked my Zyxel BT SDSL router and it is not blocking the port 21.

any suggestion would be appriciated.

 

[NetworkGhost]

Do you only have one IP address? If so take out the old static and do this:

no static (dmz,outside) 217.36.6.x 192.168.10.y netmask 255.255.255.255
static (dmz,outside) tcp interface 21 192.168.10.y 21 netmask 255.255.255.255

Still have problems? Post your config.

 

[drmohlen]

Hi there, I have followed your advise but still have no joy access to my FTP server on the DMZ. I have posted the pix config bellow for your attantion.

PS: just to say that I have already got another server on DMZ with different IP address which accessible from outside.

Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 DMZ security4
enable password 3nJjzzCFrst92kfY encrypted
passwd 3nJjzzCFrst92kfY encrypted
hostname lukfw1
domain-name xxxxxxxxxxxxxx
clock timezone GMT/BST 0
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.10 LUKPC40
name 192.168.1.26 LUKPC66
name 217.36.6.39 LUKPC63
name 217.36.6.40 Exmail
name 195.245.230.0 messagelabs2
name 193.109.254.0 messagelabs1
name 85.158.136.0 messagelabs4
name 216.82.240.0 messagelabs5
name 194.106.220.0 messagelabs3
name 195.216.16.211 messagelabs6
name 192.168.1.100 mohsenpc
object-group service SOSAccess tcp
port-object range 8890 8890
object-group service ViticServerAccess tcp
port-object eq www
port-object range 9000 9000
object-group service RemoteVPNUsers udp
port-object range isakmp isakmp
port-object range 4500 4500
port-object range 1701 1701
object-group service incomingSMTP tcp
port-object eq smtp
object-group service proxyusers tcp
access-list inside_access_in deny tcp host mohsenpc any
access-list outside_access_in remark vitic access via PC63
access-list outside_access_in remark
access-list outside_access_in remark
access-list outside_access_in permit tcp any host LUKPC63 object-group ViticServerAccess
access-list outside_access_in permit tcp any host 217.36.6.41 object-group SOSAccess
access-list outside_access_in remark message mail server address
access-list outside_access_in permit tcp messagelabs1 255.255.254.0 host Exmail object-group incomingSMTP
access-list outside_access_in remark messagelabs 2
access-list outside_access_in permit tcp messagelabs2 255.255.254.0 host Exmail object-group incomingSMTP
access-list outside_access_in remark messagelabs 3
access-list outside_access_in permit tcp messagelabs3 255.255.254.0 host Exmail object-group incomingSMTP
access-list outside_access_in remark messagelabs server 4
access-list outside_access_in permit tcp messagelabs4 255.255.248.0 host Exmail object-group incomingSMTP
access-list outside_access_in remark messagelabs server 5
access-list outside_access_in permit tcp messagelabs5 255.255.240.0 host Exmail object-group incomingSMTP
access-list outside_access_in remark messagelabs server 6
access-list outside_access_in permit tcp host messagelabs6 host Exmail object-group incomingSMTP
access-list outside_access_in permit icmp 217.36.6.32 255.255.255.240 217.36.6.0 255.255.255.0 echo
access-list outside_access_in remark SSL for OWA
access-list outside_access_in permit tcp any host Exmail eq https
access-list outside_access_in remark
access-list outside_access_in permit icmp host mohsenpc any echo-reply
access-list DMZ_access_in permit icmp 192.168.10.0 255.255.255.0 217.36.6.32 255.255.255.240 echo-reply
access-list DMZ_access_in permit icmp host 192.168.10.12 any echo-reply
access-list inside_outbound_nat0_acl permit ip any 192.168.1.224 255.255.255.240
access-list 101 permit ip 192.168.1.0 255.255.255.0 172.10.10.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list acl_outside permit tcp any host 217.36.6.38 eq ftp
pager lines 24
logging on
logging trap notifications
logging host inside 192.168.1.12
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 217.36.6.33 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip address DMZ 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool RemotePool 192.168.2.1-192.168.2.254
ip local pool LocalPool 192.168.1.224-192.168.1.240
ip local pool ippool 172.10.10.1-172.10.10.200

arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list 101
nat (inside) 10 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp 217.36.6.41 8890 LUKPC40 8890 netmask 255.255.255.255 0 0
static (DMZ,outside) tcp interface ftp 192.168.10.13 ftp netmask 255.255.255.255 0 0
static (DMZ,outside) LUKPC63 192.168.10.12 netmask 255.255.255.255 0 0
static (outside,DMZ) 192.168.10.12 LUKPC63 netmask 255.255.255.255 0 0
static (inside,outside) Exmail LUKPC66 netmask 255.255.255.255 0 0
static (outside,inside) LUKPC66 Exmail netmask 255.255.255.255 0 0
static (inside,DMZ) 192.168.10.0 192.168.1.0 netmask 255.255.255.0 0 0
static (inside,outside) 192.168.10.13 217.36.6.38 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 217.36.6.46 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.1.11 thunderstorms timeout 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable




management-access inside
console timeout 0



terminal width 80
Cryptochecksum:852c75d4d2cfd874bf088f6aaabf462b
: end

 

[NetworkGhost]

Ahh. Sorry. When I put acl_outside I "assumed" You would make that match your acl for your external interface. Try this

access-list outside_access_in permit tcp any interface outside eq 21

 

[drmohlen]

Thank you it worked straight away, I did mentioned earlier that I am new to PIX!!, you have been great help.