Thanks for the response. I'll paste the config at the bottom of this response. More questions though...I think your response has raised the question of whether I actually have the site set up properly. The inside address is 10.0.0.2. I wasn't aware that the outside users required an address. Can you help me with that issue?? Here's the PIX config:

Building configuration...

: Saved

:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password (.........)encrypted

passwd (.........)encrypted

hostname pixfirewall

domain-name wilsonargroup.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inbound permit tcp any host 65.65.172.58 eq www

access-list inbound permit tcp any host 65.65.172.58 eq smtp

access-list inbound permit icmp any any echo-reply

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 65.65.172.57 255.255.255.248

ip address inside 10.0.0.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.0.2 255.255.255.255 inside

pdm location 206.126.51.0 255.255.255.192 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 65.65.172.58 www 10.0.0.2 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 65.65.172.58 smtp 10.0.0.2 smtp netmask 255.255.255.255 0 0

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 65.65.172.62 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 206.126.51.0 255.255.255.192 outside

http 10.0.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.0.0.0 255.255.0.0 inside

telnet timeout 5

ssh 206.x.x.0 255.255.255.192 outside

ssh timeout 5

console timeout 0

username admin password (......)

encrypted privilege 15

terminal width 80

Cryptochecksum:xxx

: end

[OK]

User's on the outside will not be able to access ftp://10.0.0.2 as that is not a routable internet address.

This will work for ftp the same as it is now working for your www and smtp servers. They are accessed via 65.65.172.58.

So, if you wanted to do ftp://65.65.172.58, you would need to add...

access-list inbound permit tcp any host 65.65.172.58 eq ftp

static (inside,outside) tcp 65.65.172.58 ftp 10.0.0.2 ftp netmask 255.255.255.255 0 0

Does that help?

Great! I'll have to figure out how to add the line, but I'm sure I can figure it out. I'm new to this Admin role. I was sort of drafted into it a few months ago. I'll do another post if I have any problems.

Thanks for all of your help.

Okay. It's a bit more complicated than I thought. I found the *.txt file and made the changes per your suggestion. I saved the file, but it hasn't changed on the PIX. Does something need to be rebooted??

What .txt file?

How did you get the config out of the firewall? Are you connected to the console port?

All of our equipment was set up by an outside vendor. After the sale, they abandoned me. I've been digging around in the system to figure out most stuff on my own.

The installer left a text file on the server and I assumed that was where the PIX got it's information. Just digging a bit more, I found that not to be true. I sent you the copy that he left on the machine. Just a few moments ago, I viewed the actual file, but I don't know how to add the lines now.

You should be able to telnet to the inside address from a machine on the 10.0.0.0 network.

1. telnet 10.0.0.1

2. login

3.

pixfirewall > en

Password: ******* (enable password here)

pixfirewall # config t

pixfirewall(config) # access-list inbound permit tcp any host 65.65.172.58 eq ftp

pixfirewall(config) # static (inside,outside) tcp 65.65.172.58 ftp 10.0.0.2 ftp netmask 255.255.255.255 0 0

pixfirewall(config) # exit

pixfirewall # wr mem

pixfirewall # exit

Please rate if these help.

I made a couple of errors. The original config that I sent was apparently wrong. I'm resending an excerpt from the correct config with the changes that you suggested. Note that one line

"static (inside,outside) tcp 65.65.172.58 ftp 10.0.0.2 ftp netmask 255.255.255.255 0 0"

has the IP address as 65.65.172.58 (my goof). I believe it should have been 65.65.172.57. Is it possible to change that one line? If so, how?

object-group service wag tcp

port-object eq telnet

port-object eq www

port-object eq https

port-object eq smtp

access-list inbound permit icmp any any echo-reply

access-list inbound permit tcp any host 65.65.172.57 eq www

access-list inbound permit tcp any host 65.65.172.57 eq https

access-list inbound permit tcp any host 65.65.172.57 eq smtp

access-list inbound permit tcp any host 65.65.172.57 eq ftp

access-list inside_outbound_nat0_acl permit ip any 192.168.99.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip any 192.168.99.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 65.65.172.58 255.255.255.248

ip address inside 10.0.0.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpn_pool 192.168.99.1-192.168.99.254

pdm location 10.0.0.2 255.255.255.255 inside

pdm location 206.126.51.0 255.255.255.192 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 65.65.172.57

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 65.65.172.57 www 10.0.0.2 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 65.65.172.57 https 10.0.0.2 https netmask 255.255.255.255 0 0

static (inside,outside) tcp 65.65.172.57 smtp 10.0.0.2 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 65.65.172.58 ftp 10.0.0.2 ftp netmask 255.255.255.255 0 0

access-group inbound in interface outside

I've gotten this all done, but still can't access my FTP site. I'm about to start all over again with creating a new site. I welcome any other ideas or suggestions.

Um, it does work. Are you sure you tried ftp 65.65.172.57 from OUTSIDE, not from inside?

If you are trying from inside the pix you need to do ftp 10.0.0.2.

Well...I'm going by what my test person told me. Let me have them try again.

Well, again my person says that all he see's is a blank page. It said it was getting contents of the folder, but nothing ever happens. As a matter of fact, when I key in ftp://65.65.172.57, all I get is that blank page. Are you actually able to see the file that I have in that directory?