Re: Microsoft ISA and PIX 515

abuaqel · ‎02-05-2003

Hi everyone. I've installed a Cisco PIX 515E firewall and everything was perfect. Suddenly, I found that I am not able to download anything from FTP sites in my inside network (I was able to when I first installed it and I didn't change anything). I have an ISA server behind my firewall. If I disable the proxy settings from an inside workstation the download works fine. Is it possible that there is some problem when we connect the PIX to ISA? I had the ISA before the PIX and everything was working fine. On the ISA server itself I can download anything I want. The PIX is the gateway for the ISA server. I tried using the "no fixup protocol ftp 21" but didn't get any results. By the way I haven't used the DMZ yet (my mail server is curently in the inside part).

Please advice me. Below are the headlines of the configuration. Thanks.

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol ftp 21

access-list smtp permit tcp any host <inside_mail_server_ip_address> eq smtp

global (outside) 1 <global_ip_address> netmask x.x.x.x

global (dmz) 1 z.z.z.z

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) <global_ip_address> <ISA_server_local_ip> netmask 255.255.255.255 0

0

static (inside,dmz) z.z.z.z <ISA_server_local_IP> netmask 255.255.255.255 0 0

access-group smtp in interface outside

route outside 0.0.0.0 0.0.0.0 <router_ip_address> 1

smalkeric · ‎02-14-2003

Check your access list and see if you are permitting FTP traffic.

abuaqel · ‎02-14-2003

Hello. The only access-list I am using is the one permitting smtp traffic to go inside to the mail server, it is shown in the posted configuration and it is working fine. Do I have to put an access-list to permit FTP traffic to the ISA server? If yes what ports should I use else than port 21? Do I make the destination of the access-list the ISA server? Thanks.

mpalardy · ‎02-14-2003

If you are using of using 'no fixup protocol ftp 21' You are running into troubles.

Instead set this command to 'fixup protocol ftp 21'

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/df.htm#1067379

Also You could rename 'access-list smtp' to something less confusing like 'access-list outside_access'

and apply it to the outside interface with:

access-group outside_access in interface outside

access-list outside_access permit tcp any host < eq 21

access-group smtp in interface outside

static (interface of your isa server, outside) netmask 255.255.255.255 0 0

Mike

mpalardy · ‎02-14-2003

Sorry I made a mistake on prev msg

Access-list sould be

access-list outside_access permit tcp any host < eq 21

yizhar · ‎02-15-2003

HI.

> tried using the "no fixup protocol ftp 21"

This is wrong.

You should enable the fixup protocol ftp command because this command instructs the pix to monitor the ftp sessions, and open additional ports as needed for the data session.

You should try using syslog messages at the pix (I recommend starting with level 4 warnings), and see if the traffic is blocked at the pix or not.

> If I disable the proxy settings from an inside workstation the download works fine...

So the problem might be related to the ISA proxy configuration and not to the pix.

Check the ISA server event logs.

The problems might also be related to the following articles, but I would check the ISA proxy configuration first:

http://www.cisco.com/warp/public/110/2.html

http://www.cisco.com/warp/public/110/21.html

Bye

Yizhar Hurwitz

http://teachers.sivan.co.il/yizhar