Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix 501 ftp port forwarding troubles~!

Hello, all. I am having a surprising amount of trouble getting my PIX 501 to do port forwarding correctly to expose my internally-hosted FTP site to the outside world.

My FTP server is on 192.168.1.200 and has been added to my PIX as a named host of WAServ2003 as you can see from my config dump (follows).

After spending way too much time on trying to puzzle my way thru this challenge, can anyone spot any problems from my config dump here?

Appreciate any comments/ideas. Thanks in advance.

-Steve B.

java.util.regex.Matcher[pattern=[a-zA-Z0-9_+-.]+@[a-zA-Z0-9][w.+-]+.[a-zA-Z]{2,} region=0,2640 lastmatch=sbohlen@gmail.com]

Building configuration...

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXX

encrypted

passwd XXXX encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 192.168.1.200 WAServ2003

access-list outside_access_in permit tcp 64.248.63.128 255.255.255.128 eq ftp host 64.248.63.140 eq ftp

pager lines 24

logging on

logging console debugging

logging buffered informational

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 64.x.x.140 255.255.255.128

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location WAServ2003 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface ftp WAServ2003 ftp netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 64.248.63.129 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd dns 216.175.203.50 216.175.203.59

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain watsonandassociates.com

dhcpd auto_config outside

terminal width 80

Cryptochecksumxxx

: end

[OK]

10 REPLIES
Green

Re: Pix 501 ftp port forwarding troubles~!

Get rid of the source port in your acl...

access-list outside_access_in permit tcp 64.248.63.128 255.255.255.128 host 64.248.63.140 eq ftp

or

access-list outside_access_in permit tcp 64.248.63.128 255.255.255.128 interface outside eq ftp

Please rate helpful posts.

New Member

Re: Pix 501 ftp port forwarding troubles~!

good point (and thanks) but I just did that and still cannot get it; any other ideas re: what might be wrong here...?

Green

Re: Pix 501 ftp port forwarding troubles~!

Want to post the new config?

Are you trying to ftp from 64.248.63.128 255.255.255.128?

New Member

Re: Pix 501 ftp port forwarding troubles~!

Hi,

I have a question. when you have assigned the IP address 64.248.63.140 255.255.255.128 to the interface doesnt it mean access from internet to the Network segment 64.248.63.128/25 will be pointing towards this interface?

please try modifying the ACL from

access-list outside_access_in permit tcp 64.248.63.128 255.255.255.128 eq ftp host 64.248.63.140 eq ftp

to

access-list outside_access_in permit tcp any eq ftp host 64.248.63.140 eq ftp

or

access-list outside_access_in permit tcp eq ftp host 64.248.63.140 eq ftp

Thanks, AJ

New Member

Re: Pix 501 ftp port forwarding troubles~!

Changes made but still no-joy.

This must be something incredibly simple, since it sure looks OK to me.

Other thougths?

New config reads....

Building configuration...

: Saved

:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXX encrypted

passwd XXXX encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 192.168.1.200 WAServ2003

access-list outside_access_in permit tcp 64.248.63.128 255.255.255.128 host 64.248.63.140 eq ftp

access-list outside_access_in permit tcp any eq ftp host 64.248.63.140 eq ftp

pager lines 24

logging on

logging console debugging

logging buffered informational

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 64.x.x.140 255.255.255.128

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location WAServ2003 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface ftp WAServ2003 ftp netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 64.248.63.129 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd dns 216.x.x.50 216.175.203.59

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain watsonandassociates.com

dhcpd auto_config outside

terminal width 80

Cryptochecksum:xxx

: end

[OK]

Green

Re: Pix 501 ftp port forwarding troubles~!

no access-list outside_access_in permit tcp 64.248.63.128 255.255.255.128 host 64.248.63.140 eq ftp

no access-list outside_access_in permit tcp any eq ftp host 64.248.63.140 eq ftp

access-list outside_access_in permit tcp any host 64.248.63.140 eq ftp

Green

Re: Pix 501 ftp port forwarding troubles~!

You do not want to put a source port in the acl...it will never match.

New Member

Re: Pix 501 ftp port forwarding troubles~!

Thanks everyone for the speedy feedback, but following all these steps I still get no luck on ftp to 64.x.x.140 from anywhere outside my network.

FTP server confirms responding to 192.168.1.200 from INSIDE the network just fine so that isn't the trouble (issue is def. with the config on the PIX *somewhere*).

Here is my updated config. I have also applied the ACL to the interface useing the access-group settings (seen below) but that seems to make no diference either.

Further suggestions?

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXX encrypted

passwd XXXX encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name 192.168.1.200 WAServ2003

access-list outside_access_in permit tcp any host 64.248.63.140 eq ftp

pager lines 24

logging on

logging console debugging

logging buffered informational

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 64.248.63.140 255.255.255.128

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location WAServ2003 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface ftp WAServ2003 ftp netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 64.248.63.129 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd dns 216.175.203.50 216.175.203.59

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain watsonandassociates.com

dhcpd auto_config outside

terminal width 80

Cryptochecksum:xxx

: end

[OK]

Re: Pix 501 ftp port forwarding troubles~!

Hi try,

access-list outside_access_in permit tcp any interface outside eq ftp

I hope it helps .. please rate it if it does !!!

New Member

Re: Pix 501 ftp port forwarding troubles~!

Adding a NAT for port 20 should work:

static (inside,outside) tcp interface 20 WAServ2003 20 netmask 255.255.255.255 0 0

Regards,

Tim

343
Views
0
Helpful
10
Replies
CreatePlease to create content