Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to setup FTP Server on DMZ of PIX 515

Status
Not open for further replies.
mashadif

mashadif

IS-IT--Management
Jun 15, 2005
41
CA
Hi!

Need help in configuring FTP Server on DMZ interface.

I have PIX 515 configured for Inside and Outside Interface and works fine. My IP addresses are as given below:

Outside: 207.219.xxx.xxx
Inside: 192.168.100.3
DMZ: 172.16.0.1

FTP Server for DMZ: 172.16.0.2

Can anyone help me in configuring the DMZ so that people from Outside (Internet) can access FTP Server on port 21210

Regards,
F. Mashadi
 
Sort by date Sort by votes
Dunno your pix version but i assume its 6.x something.

static (dmz,outside) 207.219.xxx.xxx 172.16.0.2
access-list outside_acl permit tcp any host 207.219.xxx.xxx.eq 21210

apply to the accessgroup of your outside interface. You might need to change your fixup ftp protocol to the new port.

I assume you got everything else in order ( connectivety from your dmz etc )

If not post the complete config.

 
Upvote 0 Downvote
Hi boymarty24

My configuration is as given below, please guide:

: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password encrypted
passwd encrypted
hostname pix
domain-name cbs
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol ftp 21210
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.100.4 ISAServer
name 172.16.0.2 ftp-server
access-list outside_acl permit gre any host 207.219.125.104
access-list outside_acl permit tcp any interface outside eq www
access-list outside_acl permit tcp any interface outside eq smtp
access-list outside_acl permit tcp any interface outside eq daytime
access-list outside_acl permit tcp any interface outside eq pop3
access-list outside_acl permit tcp any interface outside eq https
access-list outside_acl permit tcp any interface outside eq 3389
access-list outside_acl permit tcp any interface outside eq 10001
access-list outside_acl permit tcp any interface outside eq 10002
access-list outside_acl permit tcp any interface outside eq 15000
access-list outside_acl permit tcp any interface outside eq 8080
access-list outside_acl permit gre any interface outside
access-list outside_acl permit tcp any interface outside eq 67
access-list outside_acl permit tcp any interface outside eq 68
access-list outside_acl permit tcp any interface outside eq 69
access-list outside_acl permit tcp any interface outside eq 1024
access-list outside_acl permit tcp any interface outside eq 5900
access-list outside_acl permit tcp any interface outside eq 11001
access-list outside_acl permit tcp any interface outside eq 11002
access-list outside_acl permit tcp any interface outside eq 84
access-list outside_acl permit tcp any interface outside eq ftp-data
access-list outside_acl permit tcp any interface outside eq ftp
access-list outside_acl permit tcp any interface outside eq 21210
pager lines 20
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside dhcp setroute
ip address inside 192.168.100.3 255.255.255.0
ip address dmz 172.16.0.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.100.1 255.255.255.255 inside
pdm location 192.168.100.5 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
alias (inside) ISAServer 207.219.125.104 255.255.255.255
alias (dmz) ISAServer 172.16.0.1 255.255.255.255
static (dmz,outside) tcp interface 21210 172.16.0.1 21210 netmask 255.255.255.2
5 0 0
static (inside,outside) interface ISAServer netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.255 0 0
access-group outside_acl in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.100.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.100.1 255.255.255.255 inside
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
terminal width 80
: end
 
Upvote 0 Downvote
You should add a nat statement for your dmz for internet access.

nat (dmz) 1 172.16.0.0 255.255.255.0

Clear xlate and it should work. Dunno if your isaserver does any firewalling!? Whats the isa´s role in this btw? Exchange filtering?
 
Upvote 0 Downvote
ISA server is connected back to PIX Firewall. Inside interface of PIX is connected to External (internet) interface of ISA Server. Any traffic (mail, web etc.) from internet goes to LAN via ISA Server.

Please suggest.

F. Mashadi
 
Upvote 0 Downvote
Hi

I chaged configuration as suggested by you, however, It's still not working. My DMZ interface details are as given below:

pix# sh inter e2
interface ethernet2 "dmz" is up, line protocol is up
Hardware is i82557 ethernet, address is 00a0.c969.547f
IP address 172.16.0.1, subnet mask 255.255.0.0
MTU 1500 bytes, BW 100000 Kbit full duplex
347 packets input, 43670 bytes, 0 no buffer
Received 350 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
60 packets output, 3768 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
45 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/1)
output queue (curr/max blocks): hardware (0/1) software (0/1)
---------------------------------------------------
dmz:
received (in 93557.750 secs):
356 packets 44498 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 93557.750 secs):
60 packets 3768 bytes
0 pkts/sec 0 bytes/sec

Please suggest

F. Mashadi
 
Upvote 0 Downvote
I think the problem is in your static command´.

Remove your static (inside,outside) and replace it with

static (inside,outside) tcp interface PORT isaserver PORT

One static per port number.

Finish with clear xlate.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Miluis
  • Question
How necessary is an antivirus?
Replies
3
Views
211
Rick998
Rick998
2
  • Locked
  • Question
Loss of my privacy
Replies
12
Views
2K
Rick998
Rick998
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
965
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
755
Johnkite
Johnkite
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
689
nnaarrnn
nnaarrnn

Part and Inventory Search

Sponsor

Back
Top