Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

sq
New Member

Pix 515.

Hi , I need some configuration help.

I am using PIX to secure my LAN , I always get dynamic ip address from my ISP ( ip address dhcp on outside interface )

I can not connect to others FTP servers in The Internet , and nobody can make connection to my locally FTP server : 172.16.1.10

My outside interface get ip address 213.46.213.100

and my LAN use ip addres pool: 172.16.1.1-172.16.1.20

Did any body give some advice how should configure my pix , in order to allow FTP trafikk in and outside LAN.

Here configuration:

fixiup protocol ftp 21

ip address dhcp

ip address inside 172.16.1.1 255.255.255.0

global ( outside ) 1 interface

nat 1 0 0

route outside 0.0.0.0 0.0.0.0 213.46.213.1 1

access-list 120 permit tcp any any eq ftp

access-list 120 permit tcp any any eq 80

ip access-group 120 in interface outside

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Pix 515.

Hi,

this way the inbound ftp traffic is configured:

1 create static tranlation: 'static' command

2 create access-list: 'access-list' command

3 apply the access-list to the outside interface: access-group command

4 make sure that ftp fixup protocol is not disabled: 'fixup protocol ftp' command

Please have a look at this url:

http://www.cisco.com/warp/public/707/28.html

and go to the part:

Allowing Untrusted Hosts Access to Hosts on Your Trusted Network

When you read the examples, don't use the conduit examples (outdated), but have a look at the access-list examples instead.

Hope this helps you?

Kind Regards,

Tom

5 REPLIES

Re: Pix 515.

Hi, for inbound access a static translation is required. Use the 'static' command for this.

Are you able to do someting else then ftp (like surfing the internet)? The outbound config seems to be fine. Maybe you default gateway is incorrect? If your provider provides the default gateway through dhcp, you can enter this command:

ip address outside dhcp setroute

and remove this command:

route outside 0.0.0.0 0.0.0.0 213.46.213.1 1

Kind Regards,

Tom

sq
New Member

Re: Pix 515.

Hi

Thanks for your reply.

I am able to surfe to Internet , everythings is right on the web.

This is correct my gateway is=213.46.213.1 , and I am used to to route my network to The Internet ( to the Router og my ISP=gateway )

But my problems is that I can `t connect to the others FTP servers, and The FTP trafikk is blokket , and not going into my network.

I am using PIx 515 , with image 6.22 version

How should I configure my Pix to allow FTP trafikk in and out my network ???

Regards

Said

Re: Pix 515.

Hi,

this way the inbound ftp traffic is configured:

1 create static tranlation: 'static' command

2 create access-list: 'access-list' command

3 apply the access-list to the outside interface: access-group command

4 make sure that ftp fixup protocol is not disabled: 'fixup protocol ftp' command

Please have a look at this url:

http://www.cisco.com/warp/public/707/28.html

and go to the part:

Allowing Untrusted Hosts Access to Hosts on Your Trusted Network

When you read the examples, don't use the conduit examples (outdated), but have a look at the access-list examples instead.

Hope this helps you?

Kind Regards,

Tom

sq
New Member

Re: Pix 515.

Hi again

It was a correct informations, It was helpfull.

I have created a extended access-list, and I apply it on Outside interface.

Fixup protocol was already enabled. ( It was not a standard port , it was on 2121 port.

you have mensioned me to look to FTP port , it was a fabelous.

But I dont understind why sould I create a static Translation ???

"1 create static tranlation: 'static' command"

I understind that conduit command is usefull only on version 5 and above, access-list is used on version 6 and over. Is that correct. ??

Thanks.

Said

Re: Pix 515.

Hi,

to allow inbound traffic (from a lower to a higher security level) you need two things (that's the way the pix works).

1. first create a static translation. Why is this necessary. It is for linking the public address (as it is known on the internet) of the ftp server to the private address (the real ip address of the server on your lan) of the ftp server. This can only be done by a static translation. It maps the public address to the private address. So when ftp requests from the internet arrive at your outside interface and the destination address is the public address of the ftp server, then the pix forwards the request to the private address of the ftp server on your private network.

2 create an access-list to allow inbound traffic from the internet to the public address of the ftp server.

Conduits are outdated (but can still be used ). Like you said, you should use access-list instead of conduits (don't mix them in a config). That's correct.

Am I being a little bit clear? I hope so :-) If you have any more questions, don't hesitate to post them.

Kind Regards and Best Wishes,

Tom

255
Views
0
Helpful
5
Replies