Enabling FTP and NNTP in PIX 525

DarlienDA · ‎03-12-2006

How do I enable ftp and nntp in the inside of my firewall.

At this moment, all user in the inside cannot open ftp & nntp to go to outside.

I have tried several method but all din't work.

Is there any other commands that I forgot to put in ?

I have added this command but still havent work.

access-list inside_access_in permit tcp any any eq ftp

access-list inside_access_in permit tcp any any eq ftp-data

access-list inside_access_in permit tcp any any eq telnet

access-list inside_access_in permit tcp any any eq nntp

access-list outside_access_in permit tcp any any eq nntp

access-list outside_access_in permit tcp any any eq ftp

access-list outside_access_in permit tcp any any eq ftp-data

Best Regards...

Patrick Iseli · ‎03-14-2006

If you permit the ftp and nntp protcol on the inside interface you do not need to add an access-list on the outside interface, it is even dangereous as you open that ports to the whole Internet community.

So remove that access-list:

no access-list outside_access_in permit tcp any any eq nntp

no access-list outside_access_in permit tcp any any eq ftp

no access-list outside_access_in permit tcp any any eq ftp-data

You inside access-list looks fine but you it is better to be more specific and not use < any any >

example:

access-list inside_access_in permit tcp InsideNet InsideSubnetMask any eq ftp

access-list inside_access_in permit tcp InsideNet InsideSubnetMask any eq ftp-data

access-list inside_access_in permit tcp InsideNet InsideSubnetMask any eq telnet

access-list inside_access_in permit tcp InsideNet InsideSubnetMask any eq nntp

Verify that you have the access-group on the good interface.

access-group inside_access_in in interface inside

If you have changed also the NAT Network address translation then clear the translation table:

Note that this resets all connections !!!!

clear xlate

hope that helps ?

Patrick

DarlienDA · ‎03-15-2006

I have try like what u said Patrick but I still cannot open my newsgroup and ftp to my external website to update.

Is there something that I miss? Here is a sample of my firewall...

access-list inside_access_in deny tcp any any eq 4662

access-list inside_access_in deny tcp any any object-group IRCPort

access-list inside_access_in deny tcp any any object-group P2P-BitComet

access-list inside_access_in permit icmp 10.88.0.0 255.255.0.0 10.88.88.0 255.255.255.0

access-list inside_access_in permit tcp 10.88.0.0 255.255.0.0 10.88.88.0 255.255.255.0

access-list inside_access_in permit ip 10.88.0.0 255.255.0.0 10.88.88.0 255.255.255.0

access-list inside_access_in permit icmp 192.168.0.0 255.255.0.0 any

access-list inside_access_in permit icmp any any

access-list inside_access_in permit icmp 10.88.0.0 255.255.0.0 any

access-list inside_access_in permit ip any any

access-list inside_access_in permit tcp any any

access-list inside_access_in permit tcp 10.88.0.0 255.255.0.0 any eq ftp

access-list inside_access_in permit tcp 10.88.0.0 255.255.0.0 any eq ftp-data

access-list inside_access_in permit tcp 10.88.0.0 255.255.0.0 any eq nntp

access-list inside_access_in permit tcp 10.88.0.0 255.255.0.0 any eq telnet

access-list dmz_access_in permit icmp 10.88.88.0 255.255.255.0 10.88.0.0 255.255.0.0

access-list dmz_access_in permit ip 10.88.88.0 255.255.255.0 10.88.0.0 255.255.0.0

access-list dmz_access_in permit tcp 10.88.88.0 255.255.255.0 any

access-list dmz_access_in permit ip 10.88.88.0 255.255.255.0 any

access-list nonat permit ip 10.88.0.0 255.255.0.0 10.88.88.0 255.255.255.0

access-list nonat permit ip 10.88.0.0 255.255.0.0 10.88.99.0 255.255.255.0

access-list outside_access_in permit icmp any any

access-list outside_access_in permit tcp any interface outside eq smtp

access-list outside_access_in permit tcp any interface outside eq domain

access-list outside_access_in permit udp any interface outside eq domain

access-list outside_access_in permit tcp any interface outside eq www

access-list outside_access_in permit tcp any interface outside eq 3389

access-list outside_access_in permit tcp any interface outside eq 3300

access-list outside_access_in permit tcp any interface outside eq 3311

access-list outside_access_in permit tcp any interface outside eq 3322

access-list outside_access_in permit tcp host TricubesKL interface outside eq 3389

access-list outside_access_in permit tcp host TricubesKL interface outside eq 3300

access-list outside_access_in permit tcp host TricubesKL interface outside eq 3311

access-list outside_access_in permit tcp host TricubesKL interface outside eq 3322

nat (inside) 0 access-list nonat

nat (inside) 1 10.88.0.0 255.255.0.0 0 0

nat (inside) 1 192.168.0.0 255.255.0.0 0 0

nat (dmz) 1 10.88.88.0 255.255.255.0 0 0

static (dmz,outside) tcp interface smtp exchange smtp netmask 255.255.255.255 0 0

static (dmz,outside) tcp interface domain dns-web domain netmask 255.255.255.255 0 0

static (dmz,outside) tcp interface www dns-web www netmask 255.255.255.255 0 0

static (dmz,outside) udp interface domain dns-web domain netmask 255.255.255.255 0 0

static (dmz,outside) tcp interface 3389 IBMConsole 3389 netmask 255.255.255.255 0 0

static (dmz,outside) tcp interface 3300 PCONE 3389 netmask 255.255.255.255 0 0

static (dmz,outside) tcp interface 3311 PCTWO 3389 netmask 255.255.255.255 0 0

static (dmz,outside) tcp interface 3322 PCTHREE 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface www Intranet www netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group dmz_access_in in interface dmz

amohabir1 · ‎03-22-2006

Is one of the interfaces directly connected to the internet? try fixup tftp 69

DarlienDA · ‎03-23-2006

HI guys,

Thanks for your support.

I finally found the cause of my problem.

Someone put an access list to deny NNTP and FTP inside my Cisco 3550.

I have been sabotage.

Anyway, thanks so much guys...