Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Getting errors after adding a static/conduit for internal ftp server

Hi all,

I added the following two commands to the PIX and outside users were subsequently able to connect to the internal FTP server (192.168.1.40). However, the syslog started to fill up with errors.

I am only using one global public address which is the PIX outside interface address (xxx.xxx.xxx.114) for everything.

Here are the two commands I added:

static (inside, outside) xxx.xxx.xxx.114 192.168.1.40

conduit permit tcp host xxx.xxx.xxx.114 eq ftp any

As soon as I did that, users could connect to ftp://xxx.xxx.xxx.114 but the IPSec and PPTP VPN connection attempts started to be rejected and the following errors accumulated in syslog:

Local4.Error 192.168.1.1 %PIX-3-305006: portmap translation creation failed for tcp src inside:192.168.1.50/3962 dst outside:207.68.131.20/80

Local4.Critical 192.168.1.1 %PIX-2-106006: Deny inbound UDP from 150.208.72.154/123 to xxx.xxx.xxx.114/123 on interface outside

Local4.Critical 192.168.1.1 %PIX-2-106001: Inbound TCP connection denied from zzz.zzz.zzz.55/22258 to xxx.xxx.xxx.114/1723 flags SYN on interface outside

I since removed the static and conduit entries and all is back to normal but no FTP... help!

2 REPLIES
New Member

Re: Getting errors after adding a static/conduit for internal ft

It seems to me that your problem is the fact that your doing a full static IP translation when you should use port redirection.If you have PIX Firewall Software version 6.0 or higher, you can use the port redirection feature.

The command syntax is as follows:

static [(internal_if_name, external_if_name)] {tcp|udp} {global_ip|interface}

global_port local_ip local_port [netmask mask] [max_conns [emb_limit [norandomseq]]]

In your case you should do something like this:

static (inside,outside) tcp interface ftp 192.168.1.40 ftp netmask 255.255.255.255

conduit permit tcp host xxx.xxx.xxx.114 eq ftp any

I have not tested this feature, but it should work since the translation will exist only for ftp and it should not have impact on your IPSec connections.

New Member

Re: Getting errors after adding a static/conduit for internal ft

Thank you so much! Now I understand, and it worked like a charm.

113
Views
0
Helpful
2
Replies
CreatePlease to create content