cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
306
Views
5
Helpful
6
Replies

can't ftp from dmz

admin_2
Level 3
Level 3

Can someone look at my config? I can ftp out from inside interface, but not dmz. I don't see what the difference would be.

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password XXXXXXXXXXXXXXXXX encrypted

passwd XXXXXXXXXXXXXXX encrypted

hostname pix515

domain-name mydomain.com

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

fixup protocol ftp 21

names

access-list allow-in permit tcp any host a.b.c.73 eq 443

access-list allow-in permit tcp any host a.b.c.75 eq 1723

access-list allow-in permit gre any host a.b.c.75

access-list allow-in permit tcp host 131.183.23.158 host a.b.c.76 eq 22

access-list dmz-in permit tcp host 10.0.0.2 host 192.168.20.2 eq 135

access-list dmz-in permit tcp host 10.0.0.2 host 192.168.20.2 eq 389

access-list dmz-in permit tcp host 10.0.0.2 host 192.168.20.2 eq 636

access-list dmz-in permit tcp host 10.0.0.2 host 192.168.20.2 eq 3268

access-list dmz-in permit tcp host 10.0.0.2 host 192.168.20.2 eq 3269

access-list dmz-in permit tcp host 10.0.0.2 host 192.168.20.2 eq domain

access-list dmz-in permit tcp host 10.0.0.2 host 192.168.20.2 eq 88

access-list dmz-in permit tcp host 10.0.0.2 host 192.168.20.2 eq 445

access-list dmz-in permit udp host 10.0.0.2 host 192.168.20.2 eq 389

access-list dmz-in permit udp host 10.0.0.2 host 192.168.20.2 eq domain

access-list dmz-in permit udp host 10.0.0.2 host 192.168.20.2 eq 88

access-list dmz-in permit tcp host 10.0.0.2 any eq www

access-list dmz-in permit tcp host 10.0.0.2 any eq domain

access-list dmz-in permit udp host 10.0.0.2 any eq domain

access-list dmz-in permit udp host 10.0.0.2 any eq 443

access-list dmz-in permit tcp host 10.0.0.2 host 192.168.20.2 eq 12000

access-list dmz-in permit udp host 10.0.0.2 host 192.168.20.2 eq 12000

access-list dmz-in permit tcp host 10.0.0.2 any eq 443

access-list nonat permit ip 192.168.20.0 255.255.255.0 10.0.0.0 255.255.255.0

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside a.b.c.74 255.255.255.248

ip address inside 192.168.20.1 255.255.255.0

ip address dmz 10.0.0.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (dmz) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) a.b.c.75 192.168.20.2 netmask 255.255.255.255 0 0

static (dmz,outside) a.b.c.73 10.0.0.2 netmask 255.255.255.255 0 0

access-group allow-in in interface outside

access-group dmz-in in interface dmz

route outside 0.0.0.0 0.0.0.0 a.b.c.78 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 63.164.246.48 255.255.255.248 outside

http 192.168.20.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet 192.168.20.0 255.255.255.0 inside

telnet 10.0.0.2 255.255.255.255 dmz

telnet timeout 5

ssh 63.164.246.48 255.255.255.248 outside

ssh 131.183.23.0 255.255.255.0 outside

ssh 63.127.60.128 255.255.255.255 outside

ssh 192.168.20.0 255.255.255.0 inside

ssh timeout 5

terminal width 80

Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXX

1 Accepted Solution

Accepted Solutions

Due to the 'non-existence' of an ACL allowing you to 'ftp' from the DMZ network to anywhere, you are essentially restricting outbound traffic for there is an explicit 'deny any any' at the end of ACL entries. Review your 'access-list dmz-in' list, notice that there is no service for ftp.

Try this:

access-list dmz-in permit tcp host 10.0.0.2 any eq ftp

*You are _not_ restricting outbound from the inside due to the 'non-existent' of a single access-list entry tied to the 'inside' interface. In this scenario, the high security level of 100 for the inside interface allows all traffic from the 'inside' network access to all the networks the firewall is attached to.

hope this helps. :)

View solution in original post

6 Replies 6

revangelista
Level 1
Level 1

you do not appear to have an access-list in place allowing for ftp outbound.

recommendation: apply acl allowing ftp from dmz host to 'any' (or specific host)

notes: the 'inside' network can access ftp outbound for there is no acl applied that restricts traffic. on the other hand, an acl is applied on the dmz which basically limits/restricts traffic.

hope this helps.

I guess I don't see where I am restricting outbound traffic from the dmz, but not from the inside network. Where is the acl restricting outbound traffic? Thanks for your help.

Due to the 'non-existence' of an ACL allowing you to 'ftp' from the DMZ network to anywhere, you are essentially restricting outbound traffic for there is an explicit 'deny any any' at the end of ACL entries. Review your 'access-list dmz-in' list, notice that there is no service for ftp.

Try this:

access-list dmz-in permit tcp host 10.0.0.2 any eq ftp

*You are _not_ restricting outbound from the inside due to the 'non-existent' of a single access-list entry tied to the 'inside' interface. In this scenario, the high security level of 100 for the inside interface allows all traffic from the 'inside' network access to all the networks the firewall is attached to.

hope this helps. :)

Thanks! That was it.

woohoo! my first rating. thanks. =)

revangelista
Level 1
Level 1

Additional notes:

For optimal performance, hard set your interface to the speed you are using and avoid using 'auto' as much as possible. run a 'sh int (hw_id)' on your interfaces and check what speed it configured itself, then hard-set the speed by running 'int (hw_id) {10half | 10full | 100half | 100full}'

For enhanced security, remove your 'telnet' lines. You already have 'ssh' configured for the same 192.168.x.x network. Do the same for 10.x.x.x network.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: