03-12-2006 11:53 PM - edited 02-21-2020 12:46 AM
How do I enable ftp and nntp in the inside of my firewall.
At this moment, all user in the inside cannot open ftp & nntp to go to outside.
I have tried several method but all din't work.
Is there any other commands that I forgot to put in ?
I have added this command but still havent work.
access-list inside_access_in permit tcp any any eq ftp
access-list inside_access_in permit tcp any any eq ftp-data
access-list inside_access_in permit tcp any any eq telnet
access-list inside_access_in permit tcp any any eq nntp
access-list outside_access_in permit tcp any any eq nntp
access-list outside_access_in permit tcp any any eq ftp
access-list outside_access_in permit tcp any any eq ftp-data
Best Regards...
03-14-2006 10:17 AM
If you permit the ftp and nntp protcol on the inside interface you do not need to add an access-list on the outside interface, it is even dangereous as you open that ports to the whole Internet community.
So remove that access-list:
no access-list outside_access_in permit tcp any any eq nntp
no access-list outside_access_in permit tcp any any eq ftp
no access-list outside_access_in permit tcp any any eq ftp-data
You inside access-list looks fine but you it is better to be more specific and not use < any any >
example:
access-list inside_access_in permit tcp InsideNet InsideSubnetMask any eq ftp
access-list inside_access_in permit tcp InsideNet InsideSubnetMask any eq ftp-data
access-list inside_access_in permit tcp InsideNet InsideSubnetMask any eq telnet
access-list inside_access_in permit tcp InsideNet InsideSubnetMask any eq nntp
Verify that you have the access-group on the good interface.
access-group inside_access_in in interface inside
If you have changed also the NAT Network address translation then clear the translation table:
Note that this resets all connections !!!!
clear xlate
hope that helps ?
Patrick
03-15-2006 01:24 AM
I have try like what u said Patrick but I still cannot open my newsgroup and ftp to my external website to update.
Is there something that I miss? Here is a sample of my firewall...
access-list inside_access_in deny tcp any any eq 4662
access-list inside_access_in deny tcp any any object-group IRCPort
access-list inside_access_in deny tcp any any object-group P2P-BitComet
access-list inside_access_in permit icmp 10.88.0.0 255.255.0.0 10.88.88.0 255.255.255.0
access-list inside_access_in permit tcp 10.88.0.0 255.255.0.0 10.88.88.0 255.255.255.0
access-list inside_access_in permit ip 10.88.0.0 255.255.0.0 10.88.88.0 255.255.255.0
access-list inside_access_in permit icmp 192.168.0.0 255.255.0.0 any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit icmp 10.88.0.0 255.255.0.0 any
access-list inside_access_in permit ip any any
access-list inside_access_in permit tcp any any
access-list inside_access_in permit tcp 10.88.0.0 255.255.0.0 any eq ftp
access-list inside_access_in permit tcp 10.88.0.0 255.255.0.0 any eq ftp-data
access-list inside_access_in permit tcp 10.88.0.0 255.255.0.0 any eq nntp
access-list inside_access_in permit tcp 10.88.0.0 255.255.0.0 any eq telnet
access-list dmz_access_in permit icmp 10.88.88.0 255.255.255.0 10.88.0.0 255.255.0.0
access-list dmz_access_in permit ip 10.88.88.0 255.255.255.0 10.88.0.0 255.255.0.0
access-list dmz_access_in permit tcp 10.88.88.0 255.255.255.0 any
access-list dmz_access_in permit ip 10.88.88.0 255.255.255.0 any
access-list nonat permit ip 10.88.0.0 255.255.0.0 10.88.88.0 255.255.255.0
access-list nonat permit ip 10.88.0.0 255.255.0.0 10.88.99.0 255.255.255.0
access-list outside_access_in permit icmp any any
access-list outside_access_in permit tcp any interface outside eq smtp
access-list outside_access_in permit tcp any interface outside eq domain
access-list outside_access_in permit udp any interface outside eq domain
access-list outside_access_in permit tcp any interface outside eq www
access-list outside_access_in permit tcp any interface outside eq 3389
access-list outside_access_in permit tcp any interface outside eq 3300
access-list outside_access_in permit tcp any interface outside eq 3311
access-list outside_access_in permit tcp any interface outside eq 3322
access-list outside_access_in permit tcp host TricubesKL interface outside eq 3389
access-list outside_access_in permit tcp host TricubesKL interface outside eq 3300
access-list outside_access_in permit tcp host TricubesKL interface outside eq 3311
access-list outside_access_in permit tcp host TricubesKL interface outside eq 3322
nat (inside) 0 access-list nonat
nat (inside) 1 10.88.0.0 255.255.0.0 0 0
nat (inside) 1 192.168.0.0 255.255.0.0 0 0
nat (dmz) 1 10.88.88.0 255.255.255.0 0 0
static (dmz,outside) tcp interface smtp exchange smtp netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface domain dns-web domain netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface www dns-web www netmask 255.255.255.255 0 0
static (dmz,outside) udp interface domain dns-web domain netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface 3389 IBMConsole 3389 netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface 3300 PCONE 3389 netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface 3311 PCTWO 3389 netmask 255.255.255.255 0 0
static (dmz,outside) tcp interface 3322 PCTHREE 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www Intranet www netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
03-22-2006 07:42 PM
Is one of the interfaces directly connected to the internet? try fixup tftp 69
03-23-2006 04:30 PM
HI guys,
Thanks for your support.
I finally found the cause of my problem.
Someone put an access list to deny NNTP and FTP inside my Cisco 3550.
I have been sabotage.
Anyway, thanks so much guys...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide