Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

pix 515 and FTP and Terminal services

Hi,

I have a 515 PIX and opened ports 21 and 3389 to allow a public subnet but for some reason it does not work and I wonder if somebody out there has a good working config for this; here is my config:

fixup protocol ftp 21

ip address outside x.x.x.130 255.255.255.192

ip address inside y.y.y.1 255.255.255.252

global (outside) 1 x.x.x.169-x.x.x.189

global (outside) 1 x.x.x.190

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) x.x.x.132 y.y.y.2 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.133 z.z.z.3 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.134 z.z.z.4 netmask 255.255.255.255 0 0

conduit permit tcp host x.x.x.133 eq ftp a.a.a.64 255.255.255.224

conduit permit tcp host x.x.x.134 eq ftp a.a.a.64 255.255.255.224

conduit permit tcp host x.x.x.133 eq 3389 a.a.a.64 255.255.255.224

conduit permit tcp host x.x.x.134 eq 3389 a.a.a.64 255.255.255.224

conduit permit udp host x.x.x.133 eq 3389 a.a.a.64 255.255.255.224

conduit permit udp host x.x.x.134 eq 3389 a.a.a.64 255.255.255.224

conduit permit tcp host x.x.x.132 eq 2222 host 64.30.222.83

conduit permit udp host x.x.x.132 eq 2222 host 64.30.222.83

conduit permit tcp host x.x.x.133 eq ftp-data a.a.a.64 255.255.255.224

conduit permit tcp host x.x.x.134 eq ftp-data a.a.a.64 255.255.255.224

conduit permit tcp host x.x.x.132 eq 2222 a.a.a.64 255.255.255.224

conduit permit udp host x.x.x.132 eq 2222 a.a.a.64 255.255.255.224

route outside 0.0.0.0 0.0.0.0 x.x.x.129 1

route inside 10.2.1.0 255.255.255.0 y.y.y.2 1

route inside 10.3.4.0 255.255.255.0 y.y.y.2 1

route inside 192.168.8.0 255.255.255.0 y.y.y.2 1

route inside 192.168.9.0 255.255.255.0 y.y.y.2 1

route inside 192.168.10.0 255.255.255.0 y.y.y.2 1

Any ideas whould be appreciated.

Thanks,

3 REPLIES
Silver

Re: pix 515 and FTP and Terminal services

What version of the pix code are you running? If you have v 6.2 or 6.3 you can run a capture, similar to the unix tcpdump on the outside and insidet interaces on the pix to see what traffic the pix is seeing. The capture command may be available in v6.1 too, I don't know for sure.

One test would be to have an outside host telnet to the target host on port 21 (telnet x.x.x.133 21) and see if a connection is made but the ftp banner does not appear ; not having reverse dns entries can cause this.

Another issue can be with regards to proxy-arp. If the global (x.x.x.132, 133, and 134) addresses are on the same subnet as the pix's outside interface but proxy arp on the pix is turned off (via sysopt noproxyarp outside command) then unless the upstream router has static arp entries pointing to your pix, the pix will not arp and the packets will never arrive.

Let me know if these ideas helped.

New Member

Re: pix 515 and FTP and Terminal services

Thanks for your response. I checked my pix and I do not have any configs associated to sysopt noproxyarp etc; can you explaon in more detail about this command and what it does?.

The PIX version is 6.3(1) and by the way, did you see anything wrong with my configuration?

Thanks,

Silver

Re: pix 515 and FTP and Terminal services

Run a show sysopt to check the setting of the noproxyarp parameter. You want to have:

no sysopt noproxyarp outside

This will allow the pix's outside interface to be seen as the mac address of the hosts that you want to run the connections to. This is because the global address assigned to those hosts reside on the same subnet as the pix's outside interface.

I did not see anything wrong with your config, however I advise to convert conduit statements to access-list statements as conduit may not be supported in future pix code releases - this is the recommendation that Cisco advises.

Also run the capture commands and set the pix logging beffer level to error and try to connect, after you make sure that the no sysopt noproxyarp is set (no noproxyarp means to enable it).

Between the error log, the capture and the proxyarp setting, we should get some valuable info.

The cisco pix 6.3 command reference will explain how to setup the capture. I would run two at the same time, one on the outside interface using the global ip in the acl, and one on the inside using the real/inside ip in the acl.

Let me know how it goes.

98
Views
0
Helpful
3
Replies