ftp forwarding on pix515e

capajaron · ‎06-14-2008

Hi,

Could someone help me with configuring FTP port forwarding with pix515e?.

Have tried this setup:

static (inside,outside) tcp 203.175.x.x 20 10.130.x.x 20

static (inside,outside) tcp 203.175.x.x. 21 10.130.x.x. 21

Then added it to the allow list of access-list.

Here is the complete setup.

Public->Router----->PIX------>Router-->FTPServer

202.176.x.x->203.175.x.x->y.y.y.y->10.130.x.x

>I just need to port forward ftp traffic to 10.130.x.x from the web.

>is it possible if i will be pointing an ftp traffic to 203.175.x.x ip from the web then the pix will forward it to 10.130.x.x ftp server?

I already made a post, but unfortunately i have given the incomplete setup and the guys that had replied are not yet available as of this time.

Thanks

Cliff

hennigan · ‎06-14-2008

Configure your statics without the port numbers.

static (inside,outside) 203.175.x.x 10.130.x.x

On the access-list permit ftp and ftp-data to the outside address.

access-list acl-in permit tcp any host 203.175.x.x eq ftp

access-list acl-in permit tcp any host 203.175.x.x eq ftp-data

Enable ftp fixup (PIX 6.x) or inspect ftp (PIX 7.x)

You need the static to not limit ports. This is to encompass both the initial control and data ports as well as high ports that will be used during the actual transfer. The fixup or inspect rule will allow stateful inspection and opening/closing of dynamic ports as required.

capajaron · ‎06-15-2008

Hi,

Is it ok if I will be using and ip address within 203.175.x.x block that's not being used?.

Thanks

Cliff

hennigan · ‎06-15-2008

Yes. Use an address within the subnet of the outside interface other than that of the PIX itself.