PIX 515 and FTP

[MJNSBF]

I have a PIX 515 firewall that has an ftp server behind it. I have set up Static NAT for this server, and thought I enable ftp access to it, but obviously haven't. Any pc behind the firewall can connect to the ftp server using their browser and entering ftp:\\192.168.10.88. But when trying to come in from the outside using the domain name (or using the domain name from the inside), I have no luck. Any help would be appreciated. Below is my code.

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname barricade
domain-name mydomain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.10.88 Europa
access-list outside_access_in permit tcp any gt 1024 host 192.168.10.88 eq ftp
pager lines 24
logging on
logging buffered warnings
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 10.11.12.244 255.255.255.0
ip address inside 192.168.10.245 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location NAMO 255.255.255.255 inside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 Admin3 255.255.255.255 0 0
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
static (inside,outside) 10.11.12.88 Europa netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.11.12.244 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http NAMO 255.255.255.255 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
dhcpd address 192.168.10.150-192.168.10.225 inside
dhcpd dns x.x.x.x
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain nsbf.nasa.gov
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:56a1b2baff9e44fb54b4c421f1390041
: end
[OK]

 

[yizhar]

HI.

I guess that this is the problem:
> ip address outside 10.11.12.244 255.255.255.0
You have another NAT/PAT device out there, that is blocking the FTP connection or the data (port 20) session.

Get some more registered ip addresses and disable NAT on the router - that is the best solution.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[MJNSBF]

Thanks for the info. But I have one question, and it may sound stupid, so please forgive me (am new the pix configurations).

How will the client know which machine to ftp to, if I disable NAT? I thought that was what NAT was for....to translate the address outside the firewall to the address behind the firewall. And why would I need more registered ip addresses?

Thanks.

 

[asafayan]

You need to use the "outside" or public IP address of the FTP server in the following line of code:

access-list outside_access_in permit tcp any gt 1024 host 192.168.10.88 eq ftp