03-13-2002 02:20 PM - edited 02-20-2020 10:00 PM
i am running pix 5.3(1) and i recently changed all conduit permit statements to access-lists. the problem i am now having is that when i try to access my ftp server on my internal network from outside i can not get through the pix. this setup was working before the change. below is a partial config. anyone have any suggestions?
PIX Version 5.3(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
fixup protocol sip 5060
access-list 101 permit tcp any host 63.142.xxx.xxx eq www
access-list 101 permit tcp any host 63.142.xxx.xxx eq ftp
access-list 101 permit tcp any host 63.142.xxx.xxx eq telnet
access-list 101 permit tcp any host 63.142.xxx.xxx eq smtp
access-list 101 permit tcp any host 63.142.xxx.xxx eq pop3
access-list 101 permit tcp any host 63.142.xxx.xxx eq 9010
access-list 101 permit tcp any host 63.142.xxx.xxx eq 8001
access-list 101 permit tcp any host 65.36.xxx.xxx eq ftp
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 63.142.xxx.xxx 255.255.xxx.xxx
ip address inside 10.2.8.1 255.255.255.0
ip address dmz 127.0.0.1 255.255.255.255
global (outside) 1 63.142.xxx.xxx-63.142.xxx.xxx netmask 255.255.255.240
global (outside) 1 63.142.xxx.xxx netmask 255.255.255.240
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 63.142.xxx.xxx 10.2.8.15 netmask 255.255.255.255 0 0
static (inside,outside) 63.142.xxx.xxx 10.2.8.19 netmask 255.255.255.255 0 0
static (inside,outside) 65.36.xxx.xxx 10.3.8.11 netmask 255.255.255.255 0 0
static (inside,outside) 63.142.xxx.xxx 10.2.8.13 netmask 255.255.255.255 0 0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 63.142.xxx.xxx 1
route inside 10.1.8.0 255.255.255.0 10.2.8.10 1
route inside 10.3.8.0 255.255.255.0 10.2.8.10 1
thanks
03-13-2002 05:20 PM
Change the access-list entry to permit ftp AND ftp-data.
access-list 101 permit tcp any host xxx.xxx.xxx.xxx range ftp ftp-data
03-14-2002 02:29 AM
thanks, works great.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide