Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Allow FTP access, port 21
- Thread starter itmt
- Start date
- Thread starter
- #3
NetworkGhost
IS-IT--Management
Redirected? Are you using port forwarding? Post your config.
- Thread starter
- #5
Here is the config as requested - hopefully you will be able to spot my mistake - I am flying a little blind here as no real experience in this...........
Cryptochecksum:
nameif ethernet0 outside security0
nameif ethernet1 inside security100ll# exit
Logoff
enable password KR.RWTFAxtZu6KLz encryptedble commands.
passwd KR.RWTFAxtZu6KLz encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.128.1.0 Kew
name 10.128.10.1 bci
object-group service 2ndftp tcp
port-object range 1024 1024
access-list inside_outbound_nat0_acl permit ip 10.128.10.0 255.255.255.0 10.128.
10.240 255.255.255.248
access-list inside_outbound_nat0_acl permit ip 10.128.10.0 255.255.255.0 Kew 255
.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.128.10.240 255.255.255.248
access-list BCI_splitTunnelAcl permit ip 10.128.10.0 255.255.255.0 any
access-list outside_cryptomap_20 permit ip 10.128.10.0 255.255.255.0 Kew 255.255
.255.0
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any interface outside eq ftp
access-list 100 permit tcp 10.0.0.0 255.0.0.0 any
access-list 100 permit udp 10.0.0.0 255.0.0.0 any
access-list 100 permit icmp any any echo
access-list michelle_splitTunnelAcl permit ip 10.128.10.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 81.86.12.242 255.255.255.248
ip address inside 10.128.10.11 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool BCI 10.128.10.240-10.128.10.247 mask 255.255.255.248
pdm location Kew 255.255.255.0 outside
pdm location bci 255.255.255.255 inside
pdm location 10.128.0.0 255.255.0.0 inside
pdm location bci 255.255.255.255 outside
pdm location 10.0.0.0 255.255.0.0 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp bci ftp netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group 100 in interface inside
route outside 0.0.0.0 0.0.0.0 81.86.12.246 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attemp
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host bci meta11ic timeout 5
url-server (inside) vendor websense host bci timeout 5 protocol UDP version 4
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http 10.128.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.128.1.1 /bci
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 81.178.28.18
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 81.178.28.18 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup BCI address-pool BCI
vpngroup BCI split-tunnel BCI_splitTunnelAcl
vpngroup BCI idle-time 1800
vpngroup BCI password ********
vpngroup michelle address-pool BCI
vpngroup michelle split-tunnel michelle_splitTunnelAcl
vpngroup michelle idle-time 1800
vpngroup michelle password ********
telnet 10.128.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:0fc68b044750c25450d100f78dc11d6b
Cryptochecksum:
nameif ethernet0 outside security0
nameif ethernet1 inside security100ll# exit
Logoff
enable password KR.RWTFAxtZu6KLz encryptedble commands.
passwd KR.RWTFAxtZu6KLz encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.128.1.0 Kew
name 10.128.10.1 bci
object-group service 2ndftp tcp
port-object range 1024 1024
access-list inside_outbound_nat0_acl permit ip 10.128.10.0 255.255.255.0 10.128.
10.240 255.255.255.248
access-list inside_outbound_nat0_acl permit ip 10.128.10.0 255.255.255.0 Kew 255
.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 10.128.10.240 255.255.255.248
access-list BCI_splitTunnelAcl permit ip 10.128.10.0 255.255.255.0 any
access-list outside_cryptomap_20 permit ip 10.128.10.0 255.255.255.0 Kew 255.255
.255.0
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any interface outside eq ftp
access-list 100 permit tcp 10.0.0.0 255.0.0.0 any
access-list 100 permit udp 10.0.0.0 255.0.0.0 any
access-list 100 permit icmp any any echo
access-list michelle_splitTunnelAcl permit ip 10.128.10.0 255.255.255.0 any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 81.86.12.242 255.255.255.248
ip address inside 10.128.10.11 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool BCI 10.128.10.240-10.128.10.247 mask 255.255.255.248
pdm location Kew 255.255.255.0 outside
pdm location bci 255.255.255.255 inside
pdm location 10.128.0.0 255.255.0.0 inside
pdm location bci 255.255.255.255 outside
pdm location 10.0.0.0 255.255.0.0 inside
pdm location 10.0.0.0 255.0.0.0 inside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface ftp bci ftp netmask 255.255.255.255 0 0
access-group 101 in interface outside
access-group 100 in interface inside
route outside 0.0.0.0 0.0.0.0 81.86.12.246 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth max-failed-attemp
aaa-server partnerauth deadtime 10
aaa-server partnerauth (inside) host bci meta11ic timeout 5
url-server (inside) vendor websense host bci timeout 5 protocol UDP version 4
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http 10.128.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.128.1.1 /bci
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 81.178.28.18
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 81.178.28.18 netmask 255.255.255.255 no-xauth no-con
fig-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup BCI address-pool BCI
vpngroup BCI split-tunnel BCI_splitTunnelAcl
vpngroup BCI idle-time 1800
vpngroup BCI password ********
vpngroup michelle address-pool BCI
vpngroup michelle split-tunnel michelle_splitTunnelAcl
vpngroup michelle idle-time 1800
vpngroup michelle password ********
telnet 10.128.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:0fc68b044750c25450d100f78dc11d6b
- Thread starter
- #7
- Thread starter
- #8
- Thread starter
- #10
If you do 'show access-list 101', is the FTP rule incrementing whenever a FTP session in started? Also can you confirm that the host 10.128.10.1 is where you want the FTP's redirected too?
If yes and yes to the above, have you tried ftp'ing to this host from the inside network and does that work?
If yes and yes to the above, have you tried ftp'ing to this host from the inside network and does that work?
You say you cannot authenticate, but you say that the port does seem to be getting redirected. Ok what happens? Do you get an authentication prompt?
Have you tried from the command line?
C:\>ftp
ftp> open Connected to ************.net.
220-FTP Server Ready.
220-Guest logins are not allowed here. You must login with your assigned
220-username and password with your FTP client program. If you're using
220-Internet Explorer, try the "Login as..." menu option under the "File" menu,
220-or in other FTP client programs, you can try this URL:
220-
220- ftp://username@YourDomainName/
220
User (**********.net
none)): gconnect
331 User gconnect okay, need password.
Password:
230 Restricted user logged in.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
What type FTP Server?
What output does the FTP client or server log you when you attempt to login via FTP?
What does the pix log say?
Have you tried from the command line?
C:\>ftp
ftp> open Connected to ************.net.
220-FTP Server Ready.
220-Guest logins are not allowed here. You must login with your assigned
220-username and password with your FTP client program. If you're using
220-Internet Explorer, try the "Login as..." menu option under the "File" menu,
220-or in other FTP client programs, you can try this URL:
220-
220- ftp://username@YourDomainName/
220
User (**********.net
none)): gconnect331 User gconnect okay, need password.
Password:
230 Restricted user logged in.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
What type FTP Server?
What output does the FTP client or server log you when you attempt to login via FTP?
What does the pix log say?
NetworkGhost
IS-IT--Management
I wonder if this is the problem.
static (inside,outside) tcp interface ftp bci ftp netmask 255.255.255.255 0
FTP operates on more than 1 port which is what the fixup is for. The problem could be that you only have ftp (TCP 21) statically translated. I dont know if the pix is smart enough or dumb enough to translate these to the inside host on ports other than the one in your translate rule because you are using port address translation. Are you using active or passive FTP? try this also.
static (inside,outside) tcp interface 20 bci 20 netmask 255.255.255.255 0
Thats for FTP-Data. If you are using Active FTP Data will go over 20 AND 21 is the control connection. If it is passive the control connection is still 21 but it uses tcp high ports for the data connection.
static (inside,outside) tcp interface ftp bci ftp netmask 255.255.255.255 0
FTP operates on more than 1 port which is what the fixup is for. The problem could be that you only have ftp (TCP 21) statically translated. I dont know if the pix is smart enough or dumb enough to translate these to the inside host on ports other than the one in your translate rule because you are using port address translation. Are you using active or passive FTP? try this also.
static (inside,outside) tcp interface 20 bci 20 netmask 255.255.255.255 0
Thats for FTP-Data. If you are using Active FTP Data will go over 20 AND 21 is the control connection. If it is passive the control connection is still 21 but it uses tcp high ports for the data connection.
1-Try To Open Port 20 & 21 For The Ftp server Ip.
2-I Think This command Not True [(static (inside,outside) tcp interface ftp bci ftp netmask 255.255.255.255 0 0)],
[Static (inside,outside) tcp (Real Ip For The Server) (Private Ip) netmask 255.255.255.255 0 0].
3-after changing the routing Clear the xlate table and build it again.
Have you tried sniffing the traffic on the inside? Or even on the FTP server itself for that matter to see what is actually coming in. You may want to compare that with the output from a 'debug packet outside' on the router. If you sniff the traffic on the client and get ICMP Destination Unreachable / Port Unreachable that may also clue us in.
Fixup will open the ports automatically. In fact with fixup enabled you will not see any hits on any ACL using tcp/20 even if configured with "any any eq 20". Tcp/20 is only applicable if the server is doing Active FTP anyway. Connections created by Application Inspection (fixups) get processed before the ACLs (like CBAC on IOS). And like IOS 12.3, connections created by Application Inspection are not viewable natively.
Fixup will open the ports automatically. In fact with fixup enabled you will not see any hits on any ACL using tcp/20 even if configured with "any any eq 20". Tcp/20 is only applicable if the server is doing Active FTP anyway. Connections created by Application Inspection (fixups) get processed before the ACLs (like CBAC on IOS). And like IOS 12.3, connections created by Application Inspection are not viewable natively.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question