ftp server - passive mode with static ports

Unanswered Question

Hi,


This is my second post regarding the same topic. I am working with the Cisco engineer on this case but we're still playing phone tag. So, I just want to post my config to everyone for review.

Objective:

A serv-u ftp server behind the pix firewall on subnet 192.168.1.x. The ftp server IP is 192.168.1.141. The serv-u ftp server is set to do passive-mode on the range of ports from 60000 to 60040. I want to config the pix to handle all things pretain to the ftp.


Here's my configuration with a few modifications for security.


PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname MYFIREWALL

domain-name MYDOMAIN.COM

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

object-group service passive_mode tcp

port-object range 60000 60040

access-list inside_access_in permit ip 192.168.1.0 255.255.255.0 any

access-list FTPonly permit tcp any host 222.222.222.222 eq ftp

access-list FTPonly permit tcp any host 222.222.222.222 eq 8200

access-list FTPonly permit tcp any host 222.222.222.222 eq 8016

access-list FTPonly permit tcp any host 222.222.222.222 eq 10019

access-list FTPonly permit tcp any interface outside object-group passive_mode

access-list vpn_access permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 222.x.x.x.x.255.224

ip address inside 192.168.1.100 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool vpn_pool 10.10.15.1-10.10.15.50

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list vpn_access

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

static (inside,outside) tcp 222.222.222.222 ftp 192.168.1.141 ftp netmask 255.25

5.255.255 0 0

static (inside,outside) tcp 222.222.222.222 8200 192.168.1.139 8200 netmask 255.

255.255.255 0 0

static (inside,outside) tcp 222.222.222.222 8016 192.168.1.139 8016 netmask 255.

255.255.255 0 0

static (inside,outside) tcp 222.222.222.222 10019 192.168.1.139 10019 netmask 25

5.255.255.255 0 0

static (inside,outside) tcp 222.222.222.222 60000 192.168.1.141 60000 netmask 25

5.255.255.255 0 0

static (inside,outside) tcp 222.222.222.222 60001 192.168.1.141 60001 netmask 25

5.255.255.255 0 0

static (inside,outside) tcp 222.222.222.222 60002 192.168.1.141 60002 netmask 25

5.255.255.255 0 0

static (inside,outside) tcp 222.222.222.222 60003 192.168.1.141 60003 netmask 25

5.255.255.255 0 0

static (inside,outside) tcp 222.222.222.222 60004 192.168.1.141 60004 netmask 25

5.255.255.255 0 0

static (inside,outside) tcp 222.222.222.222 60005 192.168.1.141 60005 netmask 25

5.255.255.255 0 0

static (inside,outside) tcp 222.222.222.222 60006 192.168.1.141 60006 netmask 25

5.255.255.255 0 0

static (inside,outside) tcp 222.222.222.222 60007 192.168.1.141 60007 netmask 25

5.255.255.255 0 0

.....up to 60040


access-group FTPonly in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 222.222.222.97 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

myfirewall(config)#


Thanks,

Travis.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Patrick Laidlaw Mon, 01/23/2006 - 16:50
User Badges:
  • Gold, 750 points or more

Travis,


So is there a specific problem you have and want answered or are you trying to just verify that your configuration is correct?


Fist glance I see that you have your statics setup for each of the ports. You have your access-list in place for your ports. So that portion looks correct.


Patrick

Hi,


When the pix is in used, the internal users behind the firewall could not ping addresses on the outside. I had to add the following entry

access-list outside_access_in permit ip any any

access-group outside_access_in in interface outside


But, I have another problem. The the pix is used for internet access on the network with 20+ computers, the pix goes down. When I tested with a few computers connecting to the internet, the pix works fine. It seems the flow of traffic between eth0 and eth1 is not smooth.


OR is it that the pix might be defective.



Thanx.

Travis.

Patrick Laidlaw Tue, 01/24/2006 - 13:32
User Badges:
  • Gold, 750 points or more

Travis,


A couple of years ago there was a hardware issue in a group of pixes which would make them freeze up as soon as they started getting any kind of real load. I can't find the url that allowed you to put the serial number in to see if your pix was possibly affected by this.


Before calling it a faulty pix I would upgrade to the latest Pix version either 6.3.5 or 7.0.4 depending on how much flash/memory you have.


For your ping issue's you can permit just icmp in. Also depending on which version your running you can just use the icmp command.

Option A

access-list outside_access_in permit icmp any any

access-group outside_access_in in interface outside


Option B

icmp permit any any outside




Patrick

Hope this helps.

Actions

This Discussion