FTP behind a PIX 501

Answered Question
Jun 26th, 2007
User Badges:

The answer to my problem is probably hidden among the hundreds of discussions already posted, so I apologize for my lack of experience/knowledge of networking, servers and all that.


I'm having several problems and all appear to point to the configuration of my PIX 501. Let's deal with this one first...Using Windows SBS 2003, I have set up an FTP site for my company. It works great internally, but no one outside of the company can access the file(s) that I want them to. I am aware that Port 21 needs to be open for FTP and I'm pretty sure that it's enabled.


If this isn't enough information, please let me know so I can provide more details.

Correct Answer by acomiskey about 9 years 10 months ago

pixfirewall(config) # no static (inside,outside) tcp 65.65.172.58 ftp 10.0.0.2 ftp netmask 255.255.255.255

pixfirewall(config) # static (inside,outside) tcp 65.65.172.57 ftp 10.0.0.2 ftp netmask 255.255.255.255

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
acomiskey Tue, 06/26/2007 - 05:44
User Badges:
  • Green, 3000 points or more

That's almost enough information. I assume they are attempting to access it via a public ip address or the outside address of your pix? If you want to, post a config, minus passwords etc. Let us know the inside ftp server address and the address outside users will use to access it.

wilsonargroup Tue, 06/26/2007 - 05:58
User Badges:

Thanks for the response. I'll paste the config at the bottom of this response. More questions though...I think your response has raised the question of whether I actually have the site set up properly. The inside address is 10.0.0.2. I wasn't aware that the outside users required an address. Can you help me with that issue?? Here's the PIX config:


Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password (.........)encrypted

passwd (.........)encrypted

hostname pixfirewall

domain-name wilsonargroup.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inbound permit tcp any host 65.65.172.58 eq www

access-list inbound permit tcp any host 65.65.172.58 eq smtp

access-list inbound permit icmp any any echo-reply

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 65.65.172.57 255.255.255.248

ip address inside 10.0.0.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.0.2 255.255.255.255 inside

pdm location 206.126.51.0 255.255.255.192 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 65.65.172.58 www 10.0.0.2 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 65.65.172.58 smtp 10.0.0.2 smtp netmask 255.255.255.255 0 0

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 65.65.172.62 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 206.126.51.0 255.255.255.192 outside

http 10.0.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.0.0.0 255.255.0.0 inside

telnet timeout 5

ssh 206.x.x.0 255.255.255.192 outside

ssh timeout 5

console timeout 0

username admin password (......)

encrypted privilege 15

terminal width 80

Cryptochecksum:xxx

: end

[OK]


acomiskey Tue, 06/26/2007 - 06:02
User Badges:
  • Green, 3000 points or more

User's on the outside will not be able to access ftp://10.0.0.2 as that is not a routable internet address.


This will work for ftp the same as it is now working for your www and smtp servers. They are accessed via 65.65.172.58.


So, if you wanted to do ftp://65.65.172.58, you would need to add...


access-list inbound permit tcp any host 65.65.172.58 eq ftp

static (inside,outside) tcp 65.65.172.58 ftp 10.0.0.2 ftp netmask 255.255.255.255 0 0


Does that help?

wilsonargroup Tue, 06/26/2007 - 06:19
User Badges:

Great! I'll have to figure out how to add the line, but I'm sure I can figure it out. I'm new to this Admin role. I was sort of drafted into it a few months ago. I'll do another post if I have any problems.


Thanks for all of your help.

wilsonargroup Tue, 06/26/2007 - 06:50
User Badges:

Okay. It's a bit more complicated than I thought. I found the *.txt file and made the changes per your suggestion. I saved the file, but it hasn't changed on the PIX. Does something need to be rebooted??

acomiskey Tue, 06/26/2007 - 07:04
User Badges:
  • Green, 3000 points or more

What .txt file?


How did you get the config out of the firewall? Are you connected to the console port?

wilsonargroup Tue, 06/26/2007 - 07:08
User Badges:

All of our equipment was set up by an outside vendor. After the sale, they abandoned me. I've been digging around in the system to figure out most stuff on my own.


The installer left a text file on the server and I assumed that was where the PIX got it's information. Just digging a bit more, I found that not to be true. I sent you the copy that he left on the machine. Just a few moments ago, I viewed the actual file, but I don't know how to add the lines now.

acomiskey Tue, 06/26/2007 - 07:15
User Badges:
  • Green, 3000 points or more

You should be able to telnet to the inside address from a machine on the 10.0.0.0 network.


1. telnet 10.0.0.1

2. login

3.


pixfirewall > en

Password: ******* (enable password here)

pixfirewall # config t

pixfirewall(config) # access-list inbound permit tcp any host 65.65.172.58 eq ftp

pixfirewall(config) # static (inside,outside) tcp 65.65.172.58 ftp 10.0.0.2 ftp netmask 255.255.255.255 0 0

pixfirewall(config) # exit

pixfirewall # wr mem

pixfirewall # exit



Please rate if these help.


wilsonargroup Tue, 06/26/2007 - 09:18
User Badges:

I made a couple of errors. The original config that I sent was apparently wrong. I'm resending an excerpt from the correct config with the changes that you suggested. Note that one line


"static (inside,outside) tcp 65.65.172.58 ftp 10.0.0.2 ftp netmask 255.255.255.255 0 0"


has the IP address as 65.65.172.58 (my goof). I believe it should have been 65.65.172.57. Is it possible to change that one line? If so, how?


object-group service wag tcp

port-object eq telnet

port-object eq www

port-object eq https

port-object eq smtp

access-list inbound permit icmp any any echo-reply

access-list inbound permit tcp any host 65.65.172.57 eq www

access-list inbound permit tcp any host 65.65.172.57 eq https

access-list inbound permit tcp any host 65.65.172.57 eq smtp

access-list inbound permit tcp any host 65.65.172.57 eq ftp

access-list inside_outbound_nat0_acl permit ip any 192.168.99.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip any 192.168.99.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 65.65.172.58 255.255.255.248

ip address inside 10.0.0.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpn_pool 192.168.99.1-192.168.99.254

pdm location 10.0.0.2 255.255.255.255 inside

pdm location 206.126.51.0 255.255.255.192 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 65.65.172.57

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 65.65.172.57 www 10.0.0.2 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 65.65.172.57 https 10.0.0.2 https netmask 255.255.255.255 0 0

static (inside,outside) tcp 65.65.172.57 smtp 10.0.0.2 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 65.65.172.58 ftp 10.0.0.2 ftp netmask 255.255.255.255 0 0

access-group inbound in interface outside

Correct Answer
acomiskey Tue, 06/26/2007 - 09:28
User Badges:
  • Green, 3000 points or more

pixfirewall(config) # no static (inside,outside) tcp 65.65.172.58 ftp 10.0.0.2 ftp netmask 255.255.255.255

pixfirewall(config) # static (inside,outside) tcp 65.65.172.57 ftp 10.0.0.2 ftp netmask 255.255.255.255

wilsonargroup Tue, 06/26/2007 - 10:35
User Badges:

I've gotten this all done, but still can't access my FTP site. I'm about to start all over again with creating a new site. I welcome any other ideas or suggestions.

acomiskey Tue, 06/26/2007 - 10:38
User Badges:
  • Green, 3000 points or more

Um, it does work. Are you sure you tried ftp 65.65.172.57 from OUTSIDE, not from inside?


If you are trying from inside the pix you need to do ftp 10.0.0.2.

wilsonargroup Tue, 06/26/2007 - 10:46
User Badges:

Well...I'm going by what my test person told me. Let me have them try again.

wilsonargroup Tue, 06/26/2007 - 10:55
User Badges:

Well, again my person says that all he see's is a blank page. It said it was getting contents of the folder, but nothing ever happens. As a matter of fact, when I key in ftp://65.65.172.57, all I get is that blank page. Are you actually able to see the file that I have in that directory?

acomiskey Tue, 06/26/2007 - 11:00
User Badges:
  • Green, 3000 points or more

If you have them open a command prompt and type


C:\>ftp 65.65.172.57


They will be prompted for Username and password.(this means that the pix is working)


If you do this via the web browser, ftp://65.65.172.57, go up to File and select "login as".

wilsonargroup Thu, 06/28/2007 - 05:21
User Badges:

I forgot to post that my FTP problem has been resolved. Thanks for all the time you spent helping/teaching me how to configure my PIX.

acomiskey Thu, 06/28/2007 - 05:30
User Badges:
  • Green, 3000 points or more

wilsonargroup, glad it worked out, please check that not just anyone can access your ftp site and files.

wilsonargroup Thu, 06/28/2007 - 05:50
User Badges:

Well, that's what I'm researching now. Currently, anyone who knows the URL has access to the files.

Actions

This Discussion