Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX web and ftp config

Status
Not open for further replies.
rocken7

rocken7

Programmer
Joined
Jul 15, 2004
Messages
1
Location
US
[Cisco PIX 500 series]

I have a single box on the inside (192.168.1.2) that is the webserver. It can be reached from outside and I can host the website (it allows outside access to port 80). My issue is I cannot get ftp (port 21) to get through. In fact if I add the following line:

access-list 101 permit tcp any host 200.100.80.100 eq ftp

Then I end up with no outside access to the website.

Why when I add ftp it blocks everything, and if i remove the ftp line then I have good outside-in website access?

I am new to this so expect some obvious errors in the conf list below. I am looking to do vanilla ACLS: web hosting and ftp access only.

Givens {
inner ip: 192.168.1.2
external ip: 200.100.80.100 ~ this number is fictional to protect my employer :)
255.255.255.248
}

Thanks in advance for any tips.

-Johnny


============================
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name pointloma.JoeWorkSytsems.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit tcp any any eq www
access-list inbound permit icmp any any
access-list inbound permit tcp any host 200.100.80.100 eq www
access-list inbound permit tcp any host 200.100.80.100 eq ftp
access-list inbound permit tcp any any eq ftp
access-list outside_access_in permit tcp interface outside any
access-list tcp any host 200.100.80.100 eq www
access-list tcp any eq ftp interface outside eq ftp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 200.100.80.100 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 0.0.0.0 255.255.255.255 outside
pdm location 192.168.1.2 255.255.255.255 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 192.168.1.2 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 1 200.100.80.1
global (inside) 1 192.168.1.4
nat (outside) 1 0.0.0.0 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (outside,inside) tcp interface 255.255.255.255 0 0
static (outside,inside) tcp interface ftp 192.168.1.2 ftp netmask 255.255.255.255 0 0
static (inside,outside) interface 192.168.1.2 netmask 255.255.255.255 0 0
access-group interface outside
route outside 0.0.0.0 0.0.0.0 200.100.80.90 1
route inside 192.168.0.0 255.255.0.0 192.168.1.2 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:f688f5a2b2c885c3022a435f6dc29dc3
: end
[OK]
 
Sort by date Sort by votes
looks like you are calling the wrong access-list. Try adding:

access-group inbound in interface outside

That should go it

Mark Spencer
 
Upvote 0 Downvote
Have you gotten the port forwarding to work?

I am fairly new at PIX configuration, but I see a few things wrong. To get port forwarding you need a static route and a access-list or conduit.

The statics you have in your configuration state:
static (outside,inside) tcp interface ftp 192.168.1.2 ftp netmask 255.255.255.255 0 0
(The interface ids are reversed should be (inside, outside))

Then your access-list
access-list 101 permit tcp any host 200.100.80.100 eq ftp
(I would add the port after the source ip (any eq ftp))

So the static should be:
static (inside, outside) tcp interface ftp 192.168.1.2 ftp netmask 255.255.255.255 0 0

And, your access-list should be:
access-list 101 permit tcp any eq ftp host 200.100.80.100 eq ftp

I can not claim that this will totally fix the problem, but it is a start. I would also clean up the config file a little.

If you did fix the problem, please seen me your sanitized config so I can study it.

Yours,
Dale Rose
 
Upvote 0 Downvote
Something is messed up here:
global (outside) 1 interface
global (outside) 1 200.100.80.1
global (inside) 1 192.168.1.4
nat (outside) 1 0.0.0.0 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (outside,inside) tcp interface 255.255.255.255 0 0
static (outside,inside) tcp interface ftp 192.168.1.2 ftp netmask 255.255.255.255 0 0
static (inside,outside) interface 192.168.1.2 netmask 255.255.255.255 0 0
access-group interface outside

to let traffic out all you need is

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

to get the intended traffic in you only need

static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp interface ftp 192.168.1.2 ftp netmask 255.255.255.255 0 0

-- note (inside,ouside) are reversed from original.

Interface could be replaced by 200.100.80.100 255.255.255.255

I would suggest that you do not do statics on the interface, it only serves to confuse you as you add servers/services. Get additional addresses from your ISP and do NAT if at all possible. So in theory your static becomes:
static (inside,outside) tcp 200.100.80.101 255.255.255.255 0 0
and the access list is adjusted accordingly.


and here

access-list tcp any host 200.100.80.100 eq www
access-list tcp any eq ftp interface outside eq ftp

either refer to the interface or IP address, (which are the same). Mixing them only makes things more difficult to comprehend.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
1K
Johnkite
Johnkite
Tommy_T
  • Locked
  • Question Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
989
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question Question
navigation slow and tcp syc/ack drop
Replies
0
Views
754
Nitta84
Nitta84
ISDPCMAN
  • Locked
  • Question Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
325
ISDPCMAN
ISDPCMAN

Part and Inventory Search

Sponsor

Back
Top