INSIDE Hosts can't see FTP server

[wstran]

Greetings,

Basically our system are set up as follow:

Internet
|
|
|
Router
| 10.10.10.1 (Router INSIDE)
|
|
| 10.10.10.2 (PIX OUTSIDE)
PIX 515E ---------------------- 192.168.3.1 (INSIDE)--- Hosts (192.168.3.xxx)
| 192.168.7.1 (DMZ)
|
|
|
FTP server 192.168.7.2 (Real IP) --> 10.10.10.3 (first NAT'ed to PIX OUTSIDE) --> 66.45.102.xx1(second NAT'ed to Router OUTSIDE: Public IP address)


Our problem is that all hosts in the PIX INSIDE area (192.168.3.xxx) can not FTP to our FTP server by both real IP(192.168.7.2) or by public IP(66.45.102.xx1); however, our FTP server can be logged in from Internet with public IP address 66.45.102.xx1. Please advise, thanks!


Thanks in advance.

 

[member 141630]

Can you access your FTP server from the INSIDE if you connect to 192.168.7.2 ?

 

[KiscoKid]

Can you post your PIX cfg plz?

 

[voltron1011]

Hmmm... Perhaps you'll need an Inside Nat 0 command so that the servicces can respond to queries made from lower security levels?

 

[wstran]

Thanks for all of your responses.

To F1lby's question: No, I cannot ftp 192.168.7.2 from INSIDE machines with 192.168.3.xxx. Any where else is working fine.

To KiscoKid: I'll post my PIX cfg soon.

To Voltron1011: Please teach me what specific command that I need to enter, thanks.

 

[voltron1011]

Here is an example:

First create an access-list:

access-list acl_inside_nat0 permit ip object-group USERS object-group FTP-servers (use whatever your particular object-group is, or use IP addresses).


Then do the NAT statement:

nat (inside) 0 access-list acl_inside_nat0

 

[wstran]

Hi Voltron1011,

I tried your recommendation by:

access-list acl_inside_nat0 permit ip 192.168.3.0 255.255.255.0 host 192.168.7.2

nat (inside) 0 access-list acl_inside_nat0

but it still did not work. Is there any error in my statements? Thanks.

 

[voltron1011]

Make sure your access-list isn't backwards. You want the FTP server that is in a lower security area to be able to talk back to the users in the higher security area. I have a PIX Bible here that I will research a bit.

 

[wstran]

Here is my PIX configuration:

PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 100full
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 e2 security90
nameif ethernet3 dmz security50
nameif ethernet4 e4 security75
nameif ethernet5 e5 security20
enable password juDTf/dYh8Rt6ihg encrypted
passwd juDTf/dYh8Rt6ihg encrypted
hostname PIX
domain-name test.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside_in permit tcp any host 10.10.10.3 eq ftp
access-list dmz_in permit tcp host 192.168.7.2 any eq ftp
access-list acl_inside_nat0 permit ip 192.168.3.0 255.255.255.0 host 192.168.7.2
access-list acl_inside permit tcp any interface inside eq ftp
pager lines 24
mtu outside 1500
mtu inside 1500
mtu e2oppc 1500
mtu e3dmz 1500
mtu e4state 1500
mtu e5unused 1500
ip address outside 10.10.10.2 255.255.255.0
ip address inside 192.168.3.1 255.255.255.0
ip address e2 192.168.1.1 255.255.255.0
ip address dmz 192.168.7.1 255.255.255.0
ip address e4 192.168.5.1 255.255.255.0
ip address e5 127.0.0.1 255.255.255.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list acl_inside_nat0
static (dmz,outside) 10.10.10.3 10.10.10.3 netmask 255.255.255.255 0 0
static (dmz,inside) 192.168.7.2 192.168.7.2 netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group acl_inside in interface inside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 10
console timeout 0
terminal width 80
: end

 

[voltron1011]

I think you're still missing some NAT statements...
-First you need to define an Address Pool:
global (outside) 1 interface (this means that it will use the outside interface address as the number)

-Next you define the addresses to translate:
nat (inside) 0 access-list acl_inside_nat0
nat (inside) 1 0 0 0

 

[wstran]

Hi,

I added all NAT statements that you recommended but it still did not work.

To test the setup, I added a Linux box with Apache running in DMZ with 192.168.7.3(Real IP)-->10.10.10.4 (first NAT'ed to PIX OUTSIDE)--> 66.45.102.xx2(second NAT'ed to Router OUTSIDEublic IP address), then added some statements to PIX and router for this Webserver. It is very interesting that, from INSIDE machines(192.168.3.xxx), I can see the Web page in the Webserver(192.168.7.3) but not the FTP server(192.168.7.2).

Do you think there is any different setup for FTP and Web servers? Any help is always appreciated.

Thanks