Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Microsoft ISA and PIX 515

Hi everyone. I've installed a Cisco PIX 515E firewall and everything was perfect. Suddenly, I found that I am not able to download anything from FTP sites in my inside network (I was able to when I first installed it and I didn't change anything). I have an ISA server behind my firewall. If I disable the proxy settings from an inside workstation the download works fine. Is it possible that there is some problem when we connect the PIX to ISA? I had the ISA before the PIX and everything was working fine. On the ISA server itself I can download anything I want. The PIX is the gateway for the ISA server. I tried using the "no fixup protocol ftp 21" but didn't get any results. By the way I haven't used the DMZ yet (my mail server is curently in the inside part).

Please advice me. Below are the headlines of the configuration. Thanks.

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol ftp 21

access-list smtp permit tcp any host <inside_mail_server_ip_address> eq smtp

global (outside) 1 <global_ip_address> netmask x.x.x.x

global (dmz) 1 z.z.z.z

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) <global_ip_address> <ISA_server_local_ip> netmask 255.255.255.255 0

0

static (inside,dmz) z.z.z.z <ISA_server_local_IP> netmask 255.255.255.255 0 0

access-group smtp in interface outside

route outside 0.0.0.0 0.0.0.0 <router_ip_address> 1

5 REPLIES
Silver

Re: Microsoft ISA and PIX 515

Check your access list and see if you are permitting FTP traffic.

New Member

Re: Microsoft ISA and PIX 515

Hello. The only access-list I am using is the one permitting smtp traffic to go inside to the mail server, it is shown in the posted configuration and it is working fine. Do I have to put an access-list to permit FTP traffic to the ISA server? If yes what ports should I use else than port 21? Do I make the destination of the access-list the ISA server? Thanks.

New Member

Re: Microsoft ISA and PIX 515

If you are using of using 'no fixup protocol ftp 21' You are running into troubles.

Instead set this command to 'fixup protocol ftp 21'

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/df.htm#1067379

Also You could rename 'access-list smtp' to something less confusing like 'access-list outside_access'

and apply it to the outside interface with:

access-group outside_access in interface outside

access-list outside_access permit tcp any host < eq 21

access-group smtp in interface outside

static (interface of your isa server, outside) netmask 255.255.255.255 0 0

Mike

New Member

Re: Microsoft ISA and PIX 515

Sorry I made a mistake on prev msg

Access-list sould be

access-list outside_access permit tcp any host < eq 21

New Member

Re: Microsoft ISA and PIX 515

HI.

> tried using the "no fixup protocol ftp 21"

This is wrong.

You should enable the fixup protocol ftp command because this command instructs the pix to monitor the ftp sessions, and open additional ports as needed for the data session.

You should try using syslog messages at the pix (I recommend starting with level 4 warnings), and see if the traffic is blocked at the pix or not.

> If I disable the proxy settings from an inside workstation the download works fine...

So the problem might be related to the ISA proxy configuration and not to the pix.

Check the ISA server event logs.

The problems might also be related to the following articles, but I would check the ISA proxy configuration first:

http://www.cisco.com/warp/public/110/2.html

http://www.cisco.com/warp/public/110/21.html

Bye

Yizhar Hurwitz

http://teachers.sivan.co.il/yizhar

100
Views
0
Helpful
5
Replies
CreatePlease login to create content