09-26-2001 07:16 AM - edited 03-08-2019 08:46 PM
I'm having problems connecting to a Ftp Server on the inside network, here is the relevant config,
PIX Version 4.4(5)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol ftp 21
ip address outside 10.251.8.128 255.255.255.0
ip address inside 172.18.9.2 255.255.0.0
ip address pix/intf2 127.0.0.1 255.255.255.255
ip address pix/intf3 127.0.0.1 255.255.255.255
ip address pix/intf4 127.0.0.1 255.255.255.255
ip address pix/intf5 127.0.0.1 255.255.255.255
global (outside) 1 10.251.8.3-10.251.8.4 netmask 255.255.255.0
global (outside) 1 10.251.8.5 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 10.251.8.3 172.18.9.7 netmask 255.255.255.255 0 0
static (inside,outside) 10.251.8.4 172.18.9.24 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 10.251.8.3 eq ftp 10.251.4.118 255.255.254.0
conduit permit tcp host 10.251.8.3 eq ftp 10.251.4.138 255.255.254.0
conduit permit tcp host 10.251.8.3 eq ftp 10.251.4.203 255.255.254.0
conduit permit tcp host 10.251.8.3 eq ftp 10.251.22.119 255.255.254.0
conduit permit tcp host 10.251.8.3 eq ftp 10.251.5.108 255.255.254.0
conduit permit tcp host 10.251.8.4 eq 2155 10.251.4.147 255.255.254.0
conduit permit tcp host 10.251.8.4 eq 2155 10.251.4.218 255.255.254.0
outbound 1 deny 0.0.0.0 0.0.0.0 0 tcp
apply (inside) 1 outgoing_src
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
Two of the machines can access another server on the same network as the ftp machine, for another programme, can anyone help?????? Thanks
P.S I cannot ping the global address 10.251.8.3 but I can ping 10.251.8.4, there is a router on the outside int that is 10.251.8.1 255.255.255.0 that joins the two networks.
09-26-2001 08:53 AM
You are using the same address in your statics that you are in your global statements.
global (outside) 1 10.251.8.3-10.251.8.4 netmask 255.255.255.0
static (inside,outside) 10.251.8.3 172.18.9.7 netmask 255.255.255.255 0 0
static (inside,outside) 10.251.8.4 172.18.9.24 netmask 255.255.255.255 0 0
Do you have address space that you can change the nat (inside) 1 statements to other than 10.251.8.3&
10.251.8.4
09-29-2001 06:53 AM
I thought the Statics needed to use a global address to translate to the real IP address? Both networks are private networks so their's no problem in getting other addressess.What baffles me is that the 10.251.8.4 gets translated ok for a SQL connection.?
I'm new to this firewall business you see, thanks for the reply,
My clients are on the otherside of a router in a 10.251.4.x/23 network, my outside firewall int is in 10.251.8.x/24 network on my side of the router, I can ping the outside int address ok and 10.251.8.4 global address but not 10.251.8.3 global address, does this still point to what you suggest? thanks,
10-01-2001 12:07 AM
For the static mappings you have to use global, public, addresses that aren't being used for NAT, PAT or anything else. You are using 2 addresses for NAT, do you have more public addresses free for your statics?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide