Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Trouble getting from dmz to internal on PIX 515E

Status
Not open for further replies.

hx009

Programmer
Jul 24, 2002
3
US
I'm a complete newbie when it comes to configuring a Cisco PIX and have been trying to figure this problem out for days. Basically, the network is setup like:

62.3.2.x - outside addresses (not my actual addresses, just an example)
192.168.3.x - dmz addresses
192.168.2.x - internal addresses

I have a web server at address 192.168.2.2 in the DMZ, and I can see it both from the internet and the internal network, which is what I want. I also have FTP server on the internal network at 192.168.3.4. I basically need the web server to see the FTP server only on port 21. I cannot figure it out for the life of me, but I thought doing the following would work:

static (inside,dmz) 192.168.2.10 192.168.3.4 netmask 255.255.255.255 0 0
conduit permit tcp host 192.168.3.4 eq ftp any

I am also aware that the conduit command is being phased out. However, it's what the original person was using, and I don't know enough to deviate. Below is my entire configuration (IPs and passwords have been changed to protect the innocent :) ).

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxxxxxx encrypted
passwd xxxxxxx encrypted
hostname pixwall
domain-name cgginc.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no names
pager lines 24
logging timestamp
logging console alerts
logging buffered debugging
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 62.3.2.162 255.255.255.224
ip address inside 192.168.3.1 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 62.3.2.171-62.3.2.189 netmask 255.255.255.224
global (outside) 1 62.3.2.190 netmask 255.255.255.224
global (dmz) 1 192.168.2.10-192.168.2.11 netmask 255.255.255.0
global (dmz) 1 192.168.2.254 netmask 255.255.255.0
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
static (dmz,outside) 62.3.2.163 192.168.2.2 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.164 192.168.2.3 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.165 192.168.2.4 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.166 192.168.2.5 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.167 192.168.2.6 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.168 192.168.2.7 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.169 192.168.2.8 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.170 192.168.2.9 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.2.10 192.168.3.4 netmask 255.255.255.255 0 0
conduit permit tcp host 62.3.2.163 eq smtp any
conduit permit tcp host 62.3.2.163 eq ftp any
conduit permit tcp host 62.3.2.163 eq pop3 any
conduit permit tcp host 62.3.2.163 eq conduit permit tcp host 62.3.2.164 eq conduit permit tcp host 62.3.2.165 eq conduit permit tcp host 62.3.2.165 eq 81 any
conduit permit tcp host 62.3.2.165 eq 5631 any
conduit permit udp host 62.3.2.165 eq 5632 any
conduit permit tcp host 62.3.2.166 eq 81 any
conduit permit tcp host 62.3.2.166 eq conduit permit tcp host 62.3.2.167 eq conduit permit tcp host 62.3.2.167 eq smtp any
conduit permit tcp host 62.3.2.167 eq pop3 any
conduit permit tcp host 62.3.2.167 eq ftp any
conduit permit tcp host 62.3.2.168 eq ftp any
conduit permit tcp host 62.3.2.168 eq pop3 any
conduit permit tcp host 62.3.2.168 eq conduit permit tcp host 62.3.2.168 eq smtp any
conduit permit tcp host 192.168.3.4 eq ftp any
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 62.3.2.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxx
 
... You might check the port usage for FTP, which uses more than the base port. After establishing the connection using the well-known port, it communicates with other ports.

This makes FTP a little harder to control. The key is that there may be more than the one well-known port involved.

Yours,
Mike
 
Hi hx009,

Firstly - yes you are right that conduit commands are going to be phased out, and will be replaced by ACL commands (Access Control Lists), What I would suggest you do first is have a look at the following url's, which hopefully will guide you to your answer:


I hope this helps...
 
The port is not the issue. I know that using the built-in named port "ftp" is sufficient to let ftp traffic through, because if you look at the rest of my config, this line:

conduit permit tcp host 62.3.2.163 eq ftp any

works like a champ to allow outside -> dmz ftp traffic through. Also, while I'm more than aware the conduit command is being phased out, I just started configuring Cisco products yesterday, and do not wish to deviate from the command structure that a "professional" used to set this firewall up (unless someone responds with a complete answer :) ).
 
static (inside,dmz) 192.168.3.4 192.168.3.4 netmask 255.255.255.255

conduit permit tcp host 192.168.3.4 eq 21 host 192.168.2.2

These command worked for me because I had the same situation as you , I hope this is not too late

Regards
123Series
 
Excuse me buddy!! I'm new on this and i've been comparing your pix configuration with the mine (I have Pix Version 6.1 (3)), and i saw one "dmz address" in yours.. Can you tell me what is it?
So i need to open some ports and limit some ip addresses too but i don't now how.

Another doubt... i don't have this line like you "global (outside) 1 62.3.2.171-62.3.2.189 netmask 255.255.255.224"
I get the follow line in my configuration: "global (outside) 1 69.04.09.06 without netmask beside itself ...

Can you help me please???

Thanks for your help.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top