Access List and FTP

[UkMister]

Hi,

I've managed to link to our pix 501 firwall using telnet. I can see that we have allowed access to

http://www and

smtp through access lists.

I would like to be able to allow our users on their own machines to be able to connect to certain sites so that they can upload web sites etc.

I am using cute ftp to try to access various ftp sites but the firewall isn't letting this happen. I can do it from the server fine but when I try from a client pc it doesn't work.

Any ideas on how I can configure our firewall to allow access from client pcs?

Many thanks

Gary

 

[308win]

Did you try adding a permit ftp to the acl as the permit

http://www and

smtp are?

If you post the fragment of your config with the acl's it would be easier to answer your question.

Brian

 

[UkMister]

Hi,

Here is the access list part of our configuration. I do have have the ftp permitted. I just copied the syntax from what was already there so I'm not 100% sure that it is saying what I think its saying.


access-list pdc_in permit tcp any host 195.148.160.57 eq www
access-list pdc_in permit tcp any host 195.148.160.57 eq smtp
access-list pdc_in permit tcp any host 195.148.160.57 eq ftp

Thanks for any help

 

[UkMister]

I can ftp to the inside address from a client machine but when I try to ftp the outside address, the connection fails.

 

[dopehead]

This acl looks alot like one that is applied on the outside.
If this is true, then you should post the acl on the inside, if you have one that is. Otherwise you should be fine, and it is not an acl issue.

Jan

Network Systems Engineer
CCNA/CQS

 

[UkMister]

Yes, this is applied on the outside. I don't think we have one for the inside. Is this where the problem lies?

If this is the case, how would I configure our machines on the inside to ftp to the outside?

Gary

 

[308win]

Can your inside machines browse the web?
Is the network configured for NAT? Are there any statements in your config that look like this:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Are you using a proxy server for web browsing?
If you are using a proxy server then the settings for FTP might need to be tweaked.
Do your work stations have their gateway address set to your firewall?

 

[UkMister]

This is the configuration of our firewall.
The workstations don't have any gateway set. They do browse the internet and recieve mail though. They have to be set to look at the exchange server IP address on port 8080.
I didn't set this up, but I know that there were difficulties in getting it to work.
We don't use proxy server although the Microsoft Web Proxy service is running and I'm not sure how this integrates into the setup.

Many thanks

Gary

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 7PEimcjso1aZFnNw encrypted
passwd oU2C0m3aY/PUvScG encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol ftp 20
names
name 192.168.1.2 pdc
access-list pdc_in permit tcp any host 195.146.168.58 eq www
access-list pdc_in permit tcp any host 195.146.168.58 eq smtp
access-list pdc_in permit tcp any host 195.146.168.58 eq ftp
access-list pdc_in permit tcp any host 195.146.168.58 eq ftp-data
access-list pdc_in permit tcp any host 195.146.168.58 eq 1433
pager lines 24
logging on
interface ethernet0 10baset
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location pdc 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) 192.168.1.1 195.146.168.58 255.255.255.255
static (inside,outside) 195.146.168.58 pdc netmask 255.255.255.255 0 0
access-group pdc_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
sysopt noproxyarp inside
sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80

 

[UkMister]

Another, perhaps daft question. When I change the configuration of the Pix, I use the 'write mem' command. Do I need to do anything to the Pix to make the changes take effect? Like a restart etc?

Thankyou

 

[308win]

Commands take effect immediately, write mem saves that configuration to memory, else you will lose it if you restart the pix.

You seem to be configured to use that proxy server, even if you are not sure of exactly how it is working.

If your workstations do not have a gateway set, then they will never be able to access anything outside of your LAN, except via the proxy server. Right now you pix is configured to allow all traffic out. You have 2 options:
1) figure out how to get the proxy server configured for FTP. or 2) Set default gateways on workstations and let them go directly at the internet.

Your workstations might be configured to use the proxy server for FTP, and the server might be the part that is broken, so deconfiguring the proxy might be needed on the workstations if you choose to let the workstations access the internet directly.

If you let the workstations access the internet for FTP then I suggest you also put an ACL on the inside interface.

name 192.168.1.0 net-office
access-list acl-inside remark, deny RPC and TFTP (worm exploit issues)
access-list acl-inside deny tcp any any eq 135
access-list acl-inside deny udp any any eq 135
access-list acl-inside deny udp any any eq 69
access-list acl-inside remark I dont know what your server is doing so I will permit all (you really want to restrict better)
access-list acl-inside permit ip host pdc any
access-list acl-inside remark udp 53 is DNS, if your workstations get DNS from your server then you do not need this line)
access-list acl-inside permit udp net-office 255.255.255.0 any eq 53
access-list acl-inside permit tcp net-office 255.255.255.0 any eq ftp
access-list acl-inside permit tcp net-office 255.255.255.0 any eq ftp-data

access-group acl-inside in interface inside

If you want to allow ftp access to specific ftp servers replace, 'any' in the permit ftp with 'host #.#.#.#'

(And when you post your config, you should blank out the external addresses, if your configuration is insecure, you would be giving away the candy shop to a hacker.)

 

[UkMister]

Thankyou, this is extremely helpful. I've looked at the configuration of the ISA server (I'm assuming that it is this that uses the Web Proxy Service)that we are using and there appears to be a very strange config.

Just one more question, how would I bypass this and connect the client machines directly to the internet?

Many thanks for your help

 

[paultaylor04]

UKMISTER, Im not sure if anybody has mentioned this to you as yet but the PIX works on a principle of numbering the prioroties of each interface.

If there is no access list configured for the inside interface as I notice in your pasted configuration above, you don't need to do anything for inside users to ftp to the outside.

Inside users by default are given full access to go to the outside because the inside interface has a higher priority level than the outside. Look at the first 3 lines of your configuration which state:
nameif ethernet0 outside security0
nameif ethernet1 inside security100


This clearly shows that the inside interface has priority:100 while outside has a priority of 0.

 

[UkMister]

Ok, I'm beginning to understand how this works. So what we are saying is that the firewall is NOT responsible for client PCs being unable to ftp to the outside? This is because the firewall configuration allows any request to the outside.
Therefore there must be another reason that the internal pcs can't connect to ftp sites. (I'm using Cute FTP to do this by the way). The general opinion is that there is something to do with the Microsoft ISA server that is preventing this happening. Would this be a reasonable assumption? All our client pcs connect to the internet by being pointed to the main servers ip address on port 8080. They also don't have a default gateway set. As I've mentioned, this system was setup a long time before I arrived here, but I do know that several tekkies tried to sort the problem out unsuccessfully.
I get the feeling that I'm moving into an area best suited to another forum but any suggestions are much appreciated.

Thanks for all the support so far

Gary

 

[308win]

Without the default gateway set your machines can not find the way out of your LAN to the Internet.

What you should do is set one computer's gateway address to the same address as your PIX inside interface. (and the DNS setting.) Then disable the proxy server setting on that computer. Then try FTP. (and web browsing) It ought to work. Then enable the proxy server setting. If ftp does not work, then you need to investigate your proxy server settings. The cisco cache server that we use is set to accept ftp traffic on port 9000 under the advanced setting in internet explorer.

And if it kept on working then you should still investigate why the proxy server never worked for FTP in the first place. (and yes you might get a better answer from another forum. But you certainly have learned a good bit from this exercise so far.)

Cheers

Brian