06-26-2007 05:40 AM - edited 03-11-2019 03:35 AM
The answer to my problem is probably hidden among the hundreds of discussions already posted, so I apologize for my lack of experience/knowledge of networking, servers and all that.
I'm having several problems and all appear to point to the configuration of my PIX 501. Let's deal with this one first...Using Windows SBS 2003, I have set up an FTP site for my company. It works great internally, but no one outside of the company can access the file(s) that I want them to. I am aware that Port 21 needs to be open for FTP and I'm pretty sure that it's enabled.
If this isn't enough information, please let me know so I can provide more details.
Solved! Go to Solution.
06-26-2007 09:28 AM
pixfirewall(config) # no static (inside,outside) tcp 65.65.172.58 ftp 10.0.0.2 ftp netmask 255.255.255.255
pixfirewall(config) # static (inside,outside) tcp 65.65.172.57 ftp 10.0.0.2 ftp netmask 255.255.255.255
06-26-2007 05:44 AM
That's almost enough information. I assume they are attempting to access it via a public ip address or the outside address of your pix? If you want to, post a config, minus passwords etc. Let us know the inside ftp server address and the address outside users will use to access it.
06-26-2007 05:58 AM
Thanks for the response. I'll paste the config at the bottom of this response. More questions though...I think your response has raised the question of whether I actually have the site set up properly. The inside address is 10.0.0.2. I wasn't aware that the outside users required an address. Can you help me with that issue?? Here's the PIX config:
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password (.........)encrypted
passwd (.........)encrypted
hostname pixfirewall
domain-name wilsonargroup.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inbound permit tcp any host 65.65.172.58 eq www
access-list inbound permit tcp any host 65.65.172.58 eq smtp
access-list inbound permit icmp any any echo-reply
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 65.65.172.57 255.255.255.248
ip address inside 10.0.0.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.2 255.255.255.255 inside
pdm location 206.126.51.0 255.255.255.192 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 65.65.172.58 www 10.0.0.2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 65.65.172.58 smtp 10.0.0.2 smtp netmask 255.255.255.255 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 65.65.172.62 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 206.126.51.0 255.255.255.192 outside
http 10.0.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.0.0.0 255.255.0.0 inside
telnet timeout 5
ssh 206.x.x.0 255.255.255.192 outside
ssh timeout 5
console timeout 0
username admin password (......)
encrypted privilege 15
terminal width 80
Cryptochecksum:xxx
: end
[OK]
06-26-2007 06:02 AM
User's on the outside will not be able to access ftp://10.0.0.2 as that is not a routable internet address.
This will work for ftp the same as it is now working for your www and smtp servers. They are accessed via 65.65.172.58.
So, if you wanted to do ftp://65.65.172.58, you would need to add...
access-list inbound permit tcp any host 65.65.172.58 eq ftp
static (inside,outside) tcp 65.65.172.58 ftp 10.0.0.2 ftp netmask 255.255.255.255 0 0
Does that help?
06-26-2007 06:19 AM
Great! I'll have to figure out how to add the line, but I'm sure I can figure it out. I'm new to this Admin role. I was sort of drafted into it a few months ago. I'll do another post if I have any problems.
Thanks for all of your help.
06-26-2007 06:50 AM
Okay. It's a bit more complicated than I thought. I found the *.txt file and made the changes per your suggestion. I saved the file, but it hasn't changed on the PIX. Does something need to be rebooted??
06-26-2007 07:04 AM
What .txt file?
How did you get the config out of the firewall? Are you connected to the console port?
06-26-2007 07:08 AM
All of our equipment was set up by an outside vendor. After the sale, they abandoned me. I've been digging around in the system to figure out most stuff on my own.
The installer left a text file on the server and I assumed that was where the PIX got it's information. Just digging a bit more, I found that not to be true. I sent you the copy that he left on the machine. Just a few moments ago, I viewed the actual file, but I don't know how to add the lines now.
06-26-2007 07:15 AM
You should be able to telnet to the inside address from a machine on the 10.0.0.0 network.
1. telnet 10.0.0.1
2. login
3.
pixfirewall > en
Password: ******* (enable password here)
pixfirewall # config t
pixfirewall(config) # access-list inbound permit tcp any host 65.65.172.58 eq ftp
pixfirewall(config) # static (inside,outside) tcp 65.65.172.58 ftp 10.0.0.2 ftp netmask 255.255.255.255 0 0
pixfirewall(config) # exit
pixfirewall # wr mem
pixfirewall # exit
Please rate if these help.
06-26-2007 09:18 AM
I made a couple of errors. The original config that I sent was apparently wrong. I'm resending an excerpt from the correct config with the changes that you suggested. Note that one line
"static (inside,outside) tcp 65.65.172.58 ftp 10.0.0.2 ftp netmask 255.255.255.255 0 0"
has the IP address as 65.65.172.58 (my goof). I believe it should have been 65.65.172.57. Is it possible to change that one line? If so, how?
object-group service wag tcp
port-object eq telnet
port-object eq www
port-object eq https
port-object eq smtp
access-list inbound permit icmp any any echo-reply
access-list inbound permit tcp any host 65.65.172.57 eq www
access-list inbound permit tcp any host 65.65.172.57 eq https
access-list inbound permit tcp any host 65.65.172.57 eq smtp
access-list inbound permit tcp any host 65.65.172.57 eq ftp
access-list inside_outbound_nat0_acl permit ip any 192.168.99.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.99.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 65.65.172.58 255.255.255.248
ip address inside 10.0.0.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_pool 192.168.99.1-192.168.99.254
pdm location 10.0.0.2 255.255.255.255 inside
pdm location 206.126.51.0 255.255.255.192 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 65.65.172.57
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 65.65.172.57 www 10.0.0.2 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 65.65.172.57 https 10.0.0.2 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 65.65.172.57 smtp 10.0.0.2 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 65.65.172.58 ftp 10.0.0.2 ftp netmask 255.255.255.255 0 0
access-group inbound in interface outside
06-26-2007 09:28 AM
pixfirewall(config) # no static (inside,outside) tcp 65.65.172.58 ftp 10.0.0.2 ftp netmask 255.255.255.255
pixfirewall(config) # static (inside,outside) tcp 65.65.172.57 ftp 10.0.0.2 ftp netmask 255.255.255.255
06-26-2007 10:35 AM
I've gotten this all done, but still can't access my FTP site. I'm about to start all over again with creating a new site. I welcome any other ideas or suggestions.
06-26-2007 10:38 AM
Um, it does work. Are you sure you tried ftp 65.65.172.57 from OUTSIDE, not from inside?
If you are trying from inside the pix you need to do ftp 10.0.0.2.
06-26-2007 10:46 AM
Well...I'm going by what my test person told me. Let me have them try again.
06-26-2007 10:55 AM
Well, again my person says that all he see's is a blank page. It said it was getting contents of the folder, but nothing ever happens. As a matter of fact, when I key in ftp://65.65.172.57, all I get is that blank page. Are you actually able to see the file that I have in that directory?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: