Re: Cannot access Ftp server from outside interface

wayneknight · ‎09-26-2001

I'm having problems connecting to a Ftp Server on the inside network, here is the relevant config,

PIX Version 4.4(5)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

ip address outside 10.251.8.128 255.255.255.0

ip address inside 172.18.9.2 255.255.0.0

ip address pix/intf2 127.0.0.1 255.255.255.255

ip address pix/intf3 127.0.0.1 255.255.255.255

ip address pix/intf4 127.0.0.1 255.255.255.255

ip address pix/intf5 127.0.0.1 255.255.255.255

global (outside) 1 10.251.8.3-10.251.8.4 netmask 255.255.255.0

global (outside) 1 10.251.8.5 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 10.251.8.3 172.18.9.7 netmask 255.255.255.255 0 0

static (inside,outside) 10.251.8.4 172.18.9.24 netmask 255.255.255.255 0 0

conduit permit icmp any any

conduit permit tcp host 10.251.8.3 eq ftp 10.251.4.118 255.255.254.0

conduit permit tcp host 10.251.8.3 eq ftp 10.251.4.138 255.255.254.0

conduit permit tcp host 10.251.8.3 eq ftp 10.251.4.203 255.255.254.0

conduit permit tcp host 10.251.8.3 eq ftp 10.251.22.119 255.255.254.0

conduit permit tcp host 10.251.8.3 eq ftp 10.251.5.108 255.255.254.0

conduit permit tcp host 10.251.8.4 eq 2155 10.251.4.147 255.255.254.0

conduit permit tcp host 10.251.8.4 eq 2155 10.251.4.218 255.255.254.0

outbound 1 deny 0.0.0.0 0.0.0.0 0 tcp

apply (inside) 1 outgoing_src

no rip outside passive

no rip outside default

no rip inside passive

no rip inside default

Two of the machines can access another server on the same network as the ftp machine, for another programme, can anyone help?????? Thanks

P.S I cannot ping the global address 10.251.8.3 but I can ping 10.251.8.4, there is a router on the outside int that is 10.251.8.1 255.255.255.0 that joins the two networks.

thompson · ‎09-26-2001

You are using the same address in your statics that you are in your global statements.

global (outside) 1 10.251.8.3-10.251.8.4 netmask 255.255.255.0

static (inside,outside) 10.251.8.3 172.18.9.7 netmask 255.255.255.255 0 0

static (inside,outside) 10.251.8.4 172.18.9.24 netmask 255.255.255.255 0 0

Do you have address space that you can change the nat (inside) 1 statements to other than 10.251.8.3&

10.251.8.4

wayneknight · ‎09-29-2001

I thought the Statics needed to use a global address to translate to the real IP address? Both networks are private networks so their's no problem in getting other addressess.What baffles me is that the 10.251.8.4 gets translated ok for a SQL connection.?

I'm new to this firewall business you see, thanks for the reply,

My clients are on the otherside of a router in a 10.251.4.x/23 network, my outside firewall int is in 10.251.8.x/24 network on my side of the router, I can ping the outside int address ok and 10.251.8.4 global address but not 10.251.8.3 global address, does this still point to what you suggest? thanks,

mike.t · ‎10-01-2001

For the static mappings you have to use global, public, addresses that aren't being used for NAT, PAT or anything else. You are using 2 addresses for NAT, do you have more public addresses free for your statics?