03-23-2004 11:54 AM - edited 03-09-2019 06:51 AM
Can someone look at my config? I can ftp out from inside interface, but not dmz. I don't see what the difference would be.
PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password XXXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXX encrypted
hostname pix515
domain-name mydomain.com
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol ftp 21
names
access-list allow-in permit tcp any host a.b.c.73 eq 443
access-list allow-in permit tcp any host a.b.c.75 eq 1723
access-list allow-in permit gre any host a.b.c.75
access-list allow-in permit tcp host 131.183.23.158 host a.b.c.76 eq 22
access-list dmz-in permit tcp host 10.0.0.2 host 192.168.20.2 eq 135
access-list dmz-in permit tcp host 10.0.0.2 host 192.168.20.2 eq 389
access-list dmz-in permit tcp host 10.0.0.2 host 192.168.20.2 eq 636
access-list dmz-in permit tcp host 10.0.0.2 host 192.168.20.2 eq 3268
access-list dmz-in permit tcp host 10.0.0.2 host 192.168.20.2 eq 3269
access-list dmz-in permit tcp host 10.0.0.2 host 192.168.20.2 eq domain
access-list dmz-in permit tcp host 10.0.0.2 host 192.168.20.2 eq 88
access-list dmz-in permit tcp host 10.0.0.2 host 192.168.20.2 eq 445
access-list dmz-in permit udp host 10.0.0.2 host 192.168.20.2 eq 389
access-list dmz-in permit udp host 10.0.0.2 host 192.168.20.2 eq domain
access-list dmz-in permit udp host 10.0.0.2 host 192.168.20.2 eq 88
access-list dmz-in permit tcp host 10.0.0.2 any eq www
access-list dmz-in permit tcp host 10.0.0.2 any eq domain
access-list dmz-in permit udp host 10.0.0.2 any eq domain
access-list dmz-in permit udp host 10.0.0.2 any eq 443
access-list dmz-in permit tcp host 10.0.0.2 host 192.168.20.2 eq 12000
access-list dmz-in permit udp host 10.0.0.2 host 192.168.20.2 eq 12000
access-list dmz-in permit tcp host 10.0.0.2 any eq 443
access-list nonat permit ip 192.168.20.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside a.b.c.74 255.255.255.248
ip address inside 192.168.20.1 255.255.255.0
ip address dmz 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) a.b.c.75 192.168.20.2 netmask 255.255.255.255 0 0
static (dmz,outside) a.b.c.73 10.0.0.2 netmask 255.255.255.255 0 0
access-group allow-in in interface outside
access-group dmz-in in interface dmz
route outside 0.0.0.0 0.0.0.0 a.b.c.78 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 63.164.246.48 255.255.255.248 outside
http 192.168.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet 192.168.20.0 255.255.255.0 inside
telnet 10.0.0.2 255.255.255.255 dmz
telnet timeout 5
ssh 63.164.246.48 255.255.255.248 outside
ssh 131.183.23.0 255.255.255.0 outside
ssh 63.127.60.128 255.255.255.255 outside
ssh 192.168.20.0 255.255.255.0 inside
ssh timeout 5
terminal width 80
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Solved! Go to Solution.
03-23-2004 12:26 PM
Due to the 'non-existence' of an ACL allowing you to 'ftp' from the DMZ network to anywhere, you are essentially restricting outbound traffic for there is an explicit 'deny any any' at the end of ACL entries. Review your 'access-list dmz-in' list, notice that there is no service for ftp.
Try this:
access-list dmz-in permit tcp host 10.0.0.2 any eq ftp
*You are _not_ restricting outbound from the inside due to the 'non-existent' of a single access-list entry tied to the 'inside' interface. In this scenario, the high security level of 100 for the inside interface allows all traffic from the 'inside' network access to all the networks the firewall is attached to.
hope this helps. :)
03-23-2004 12:13 PM
you do not appear to have an access-list in place allowing for ftp outbound.
recommendation: apply acl allowing ftp from dmz host to 'any' (or specific host)
notes: the 'inside' network can access ftp outbound for there is no acl applied that restricts traffic. on the other hand, an acl is applied on the dmz which basically limits/restricts traffic.
hope this helps.
03-23-2004 12:18 PM
I guess I don't see where I am restricting outbound traffic from the dmz, but not from the inside network. Where is the acl restricting outbound traffic? Thanks for your help.
03-23-2004 12:26 PM
Due to the 'non-existence' of an ACL allowing you to 'ftp' from the DMZ network to anywhere, you are essentially restricting outbound traffic for there is an explicit 'deny any any' at the end of ACL entries. Review your 'access-list dmz-in' list, notice that there is no service for ftp.
Try this:
access-list dmz-in permit tcp host 10.0.0.2 any eq ftp
*You are _not_ restricting outbound from the inside due to the 'non-existent' of a single access-list entry tied to the 'inside' interface. In this scenario, the high security level of 100 for the inside interface allows all traffic from the 'inside' network access to all the networks the firewall is attached to.
hope this helps. :)
03-23-2004 12:30 PM
Thanks! That was it.
03-23-2004 01:23 PM
woohoo! my first rating. thanks. =)
03-23-2004 12:19 PM
Additional notes:
For optimal performance, hard set your interface to the speed you are using and avoid using 'auto' as much as possible. run a 'sh int (hw_id)' on your interfaces and check what speed it configured itself, then hard-set the speed by running 'int (hw_id) {10half | 10full | 100half | 100full}'
For enhanced security, remove your 'telnet' lines. You already have 'ssh' configured for the same 192.168.x.x network. Do the same for 10.x.x.x network.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: