Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FTP server access configuration help

All our users internally connect to the internet through the pix 515e firewall.

I've setup a ftp server on ip 192.168.0.49 and already configured the PIX for access. Users inside the office use the ip of 192.168.0.49 for access to the ftp site while users outside use the domain ftp.mmg-me.com to access the site.

The domain ftp.mmg-me.com is linked to our public ip.

The problem is users inside can only use the internal ip mentioned above. IF they try to connect to the ftp via the domain ftp.mmg-me.com, it always times out. Hence, how can I config the firewall to let users inside use the domain name to connect to the ftp?

This was the command I issued to configure the firewall for ftp access:

static (inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp netmask 255.255.255.0 0 0

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: FTP server access configuration help

Hello,

You have couple of options here -

-If you want to alias command then your syntax should be as follows:

alias(inside) 192.168.0.49 80.227.104.242 255.255.255.255

-If you are running PIX 6.2 or above, my suggestion would be to edit your existing static with "dns" keyword added as follows -

static (inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp dns netmask 255.255.255.0

Thanks,

Mynul

9 REPLIES
New Member

Re: FTP server access configuration help

Found some info on Cisco's site itself - after a lot of searching.

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml#int

It seems I have to use the alias command.

Internal ip = 192.168.0.49

External ip = 80.227.104.242

Hence the alias command should be:

alias(inside) 80.227.104.242 192.168.0.49 255.255.255.255

Can someone correct me please?

Thanks.

CD

Silver

Re: FTP server access configuration help

Hello,

You have couple of options here -

-If you want to alias command then your syntax should be as follows:

alias(inside) 192.168.0.49 80.227.104.242 255.255.255.255

-If you are running PIX 6.2 or above, my suggestion would be to edit your existing static with "dns" keyword added as follows -

static (inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp dns netmask 255.255.255.0

Thanks,

Mynul

New Member

Re: FTP server access configuration help

Hi,

Yes I infact have pix version 6.3

If I do edit my existing static line, can people still access the ftp by the internal ip?

I would like to have it setup so people can either use the internal ip or external ip.

Thank you very much.

CD

p.s. How do I edit a line - is there a specific command?

New Member

Re: FTP server access configuration help

Also does it matter if the 0 0 is not there at the end

static (inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp dns netmask 255.255.255.0

compared to my original

static (inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp netmask 255.255.255.0 0 0

Silver

Re: FTP server access configuration help

Hi,

>Also does it matter if the 0 0 is not there at the end

Depends on your requirement. If you don't put it while configuring, then it will apply the default.

Thanks,

Mynul

Silver

Re: FTP server access configuration help

Hello,

My answers are inline-

>If I do edit my existing static line, can people still access the ftp by the internal ip?

Yes, they will be able to use internal ip as well.

>How do I edit a line - is there a specific command?

Go to "config t" then execute "show static" and then copy and paste your existing static, just add "no" in front of your static stmt. then add the static provided earlier.

Thanks,

Mynul

New Member

Re: FTP server access configuration help

Hi Mynul,

I replaced the static statement with this:

static (inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp dns netmask 255.255.255.255 0 0

Still I cannot connect from within the office to the ftp ip of 80.227.104.242.

Silver

Re: FTP server access configuration help

Hi Sunil,

You will not be able to connect with the public ip as both of your server and client is on inside. If server were in dmz and tweaking the static a bit would help. Since, PIX cannot route the packet back from the same interaface it receives the packet, this is not possible with public ip. However, you should be able to connect to the server using the domain name of the FTP server, as when DNS query makes thru the firewall, it will perform DNS doctoring, which will replace the public ip with private so the client would always get the private ip. If it doesn't work with the dns name, then perfomr an nslookup on the name and see if you get the private ip or not.

Pl. let me know the outcome. thanks,

Mynul

New Member

Re: FTP server access configuration help

Mhoda:

Your alias command worked. I double checked it with a user over at www.expert-exchange.com and it is the right one:

http://www.experts-exchange.com/Security/Firewalls/Q_20885991.html

Thanks for all your help.

CD

331
Views
0
Helpful
9
Replies
CreatePlease login to create content