Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

FTP box in DMZ in PIX-515

Status
Not open for further replies.

jcanfer

MIS
Aug 9, 2001
16
GB
I've got a machine I want to use as an FTP server sat in our DMZ.

From the FTP box in the DMZ I can ping the gateway and the inside of the router as well as telnet etc. However letting people into the DMZ seems to be the problem.

I'm using NAT in the DMZ, I've assigned the FTP box's IP address a name and I have a static route setup from the outside into the DMZ, with the various access lists. Now firstly, have I missed anything off that list?

Secondly could anyone please post the relevant parts of a config like this that they know works, as I seem unable to access my FTP box. Interestingly nothing shows up in the logs so I fear I'm doing something crucially wrong! I'm just using a bog standard FTP server running from IIS just to get it all setup.

I know the FTP box works inside our LAN, but when I change the LAN settings and put it in the DMZ - I can't get to it! Help! The concepts seem to have escaped me!

Thanks in advance
 
Hi jcanfer!

I don't know much about this. But I would check your security levels, first. Obviously, people can access the DMZ, right? If so, then I have struck out (sorry!).

I apologize if you checked this already, I am trying to figure out my own system by participating in all available threads.

If it is a config thing, what is your current config (for that DMZ)? An FTP is on my list of things to figure out.

J.
 
HI.

What pix version?
Post here your config (you can replace IP with something else, but don't use the same X.X.X.X for all addresses because we cannot understand it).

For connections from the pix outside (the Internet), you'll need to use STATIC, ACCESS-LIST & ACCESS-GROUP commands.

For connections from the inside to the DMZ, you will need NAT (inside)...
and GLOBAL (DMZ) ...
Take a look at CISCO web site, you can find the exact answers with samples:

You can also try using PDM.

You can also try using PIXCRIPT:

Bye
Yizhar Hurwitz
 
Yizhar,

Not a bad little program - especially as I can't get hold of PIX Device Manager. I'm using PIX v6.1 at the moment.

Just to refresh on the problem, I cannot access my ftp box from outside and I also cannot get smtp traffic to the inside from the outside. I think I may have screwed up the static's - what do I need for the outside IP address? I assumed it was the outside interface address - am I wrong?

The whole config is probably appalling - but it's the first time i've touched one.........Thanks in advance

PIX Version 6.1(1)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password gqwEMY/IctKaMqEV encrypted
passwd fA8FN/JlSZiiwVfq encrypted
hostname pixfirewall
domain-name omd-fab.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name abc.de.f.8 rassrv2
name abc.de.f.10 DL0005
name abc.de.f.20 PC0011
name abc.de.f.14 PC0020
name abc.de.f.77 PC0001
name abc.de.f.13 rassrv3
name abc.de.f.252 ftp
access-list acl_in permit icmp any any
access-list acl_in permit tcp any host rassrv3 eq smtp
access-list acl_in permit tcp any host rassrv2 eq 1723
access-list acl_in permit gre any host rassrv3
access-list acl_in permit tcp any host ftp eq ftp
access-list acl_in permit tcp any host PC0011 eq ftp
access-list acl_out permit tcp host DL0005 any eq ftp
access-list acl_out permit tcp host PC0011 any eq ftp
access-list acl_out permit tcp host abc.de.f.2 any eq ftp
access-list acl_out permit tcp host abc.de.f.4 any eq domain
access-list acl_out permit tcp host DL0005 any eq domain
access-list acl_out permit tcp host PC0011 any eq domain
access-list acl_out permit tcp host abc.de.f.2 any eq www
access-list acl_out permit tcp host DL0005 any eq www
access-list acl_out permit tcp host PC0011 any eq www
access-list acl_out permit tcp host rassrv2 any eq pop3
access-list acl_out permit tcp host DL0005 any eq pop3
access-list acl_out permit tcp host PC0011 any eq 1723
access-list acl_out permit tcp host DL0005 any eq 1723
access-list acl_out permit tcp host rassrv2 any eq 1723
access-list acl_out permit tcp any any eq telnet
access-list acl_out permit icmp any any
access-list acl_out permit gre host rassrv2 host stu.vwx.yz!.190
access-list acl_out permit tcp host PC0020 any eq ftp
access-list acl_out permit tcp host PC0020 any eq domain
access-list acl_out permit tcp host PC0020 any eq www
access-list acl_out permit tcp host PC0020 any eq 1723
access-list acl_out permit tcp host PC0001 any eq www
access-list acl_out permit tcp host PC0001 any eq ftp
access-list acl_out permit tcp host PC0001 any eq domain
access-list acl_out permit tcp host PC0011 any eq 443
access-list acl_out permit tcp host PC0020 any eq 443
access-list acl_out permit tcp host DL0005 any eq 443
access-list acl_out permit tcp any any eq www
access-list acl_out permit tcp host PC0001 any eq 443
access-list acl_out permit tcp host rassrv3 any eq smtp
access-list acl_out permit tcp any any eq 443
access-list acl_out permit udp host PC0001 any eq domain
access-list acl_dmz permit icmp any any
access-list acl_dmz permit tcp any any eq telnet
access-list acl_dmz permit tcp any any eq ftp
access-list acl_dmz permit tcp any any eq domain
access-list acl_dmz permit udp any any eq domain
pager lines 24
logging on
logging buffered debugging
logging trap debugging
logging history debugging
logging facility 1
logging host inside abc.de.f.16
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside stu.vwx.yz!.177 255.255.255.240
ip address inside abc.de.f.253 255.255.255.0
ip address dmz stu.vwx.yz!.188 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 stu.vwx.yz!.181-stu.vwx.yz!.186
global (outside) 1 stu.vwx.yz!.179
nat (inside) 1 abc.de.f.0 255.255.255.0 0 0
nat (dmz) 1 abc.de.f.0 255.255.255.0 0 0
static (dmz,outside) stu.vwx.yz!.177 PC0011 netmask 255.255.255.255 0 0
static (inside,outside) stu.vwx.yz!.177 rassrv3 netmask 255.255.255.255 0 0
access-group acl_in in interface outside
access-group acl_out in interface inside
access-group acl_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 stu.vwx.133.190 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
snmp-server host inside abc.de.f.16
snmp-server host inside PC0001
snmp-server location PC0001
snmp-server contact x2000
snmp-server community publix
snmp-server enable traps
tftp-server inside abc.de.f.16 141201
floodguard enable
no sysopt route dnat
telnet abc.de.f.0 255.255.255.0 inside
telnet abc.de.f.0 255.255.255.0 dmz
telnet timeout 15
ssh timeout 5
terminal width 80
Cryptochecksum:f91198b1b4a4be579d3f8607c57fe49a
: end
 
HI.

* This name command:
name abc.de.f.252 ftp
might cause problems because the "ftp" named is used for the port name. I don't know if it's ok to use it so anyway better user ftpserver in the name command.

* You will need a static command like this:
static (dmz,outside) stu.vwx.yz!.177 PC0011 netmask 255.255.255.255 0
also for your ftp server that was named "ftp".

For troubleshooting, open a telnet session to your router, and from there try to telnet to port 21 (ftp) and to port 25 (smtp) on your dmz servers.

For incoming mail you should remember to set the MX record in DNS - ask your ISP or DNS zone administrator.

It is also recommended to troubleshoot with syslog messages.
use "log buf 5" and "show log" at the console or better implement a syslog server.

Bye
Yizhar Hurwitz
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top