I'm a complete newbie when it comes to configuring a Cisco PIX and have been trying to figure this problem out for days. Basically, the network is setup like:
62.3.2.x - outside addresses (not my actual addresses, just an example)
192.168.3.x - dmz addresses
192.168.2.x - internal addresses
I have a web server at address 192.168.2.2 in the DMZ, and I can see it both from the internet and the internal network, which is what I want. I also have FTP server on the internal network at 192.168.3.4. I basically need the web server to see the FTP server only on port 21. I cannot figure it out for the life of me, but I thought doing the following would work:
static (inside,dmz) 192.168.2.10 192.168.3.4 netmask 255.255.255.255 0 0
conduit permit tcp host 192.168.3.4 eq ftp any
I am also aware that the conduit command is being phased out. However, it's what the original person was using, and I don't know enough to deviate. Below is my entire configuration (IPs and passwords have been changed to protect the innocent ).
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxxxxxx encrypted
passwd xxxxxxx encrypted
hostname pixwall
domain-name cgginc.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no names
pager lines 24
logging timestamp
logging console alerts
logging buffered debugging
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 62.3.2.162 255.255.255.224
ip address inside 192.168.3.1 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 62.3.2.171-62.3.2.189 netmask 255.255.255.224
global (outside) 1 62.3.2.190 netmask 255.255.255.224
global (dmz) 1 192.168.2.10-192.168.2.11 netmask 255.255.255.0
global (dmz) 1 192.168.2.254 netmask 255.255.255.0
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
static (dmz,outside) 62.3.2.163 192.168.2.2 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.164 192.168.2.3 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.165 192.168.2.4 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.166 192.168.2.5 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.167 192.168.2.6 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.168 192.168.2.7 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.169 192.168.2.8 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.170 192.168.2.9 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.2.10 192.168.3.4 netmask 255.255.255.255 0 0
conduit permit tcp host 62.3.2.163 eq smtp any
conduit permit tcp host 62.3.2.163 eq ftp any
conduit permit tcp host 62.3.2.163 eq pop3 any
conduit permit tcp host 62.3.2.163 eq conduit permit tcp host 62.3.2.164 eq conduit permit tcp host 62.3.2.165 eq conduit permit tcp host 62.3.2.165 eq 81 any
conduit permit tcp host 62.3.2.165 eq 5631 any
conduit permit udp host 62.3.2.165 eq 5632 any
conduit permit tcp host 62.3.2.166 eq 81 any
conduit permit tcp host 62.3.2.166 eq conduit permit tcp host 62.3.2.167 eq conduit permit tcp host 62.3.2.167 eq smtp any
conduit permit tcp host 62.3.2.167 eq pop3 any
conduit permit tcp host 62.3.2.167 eq ftp any
conduit permit tcp host 62.3.2.168 eq ftp any
conduit permit tcp host 62.3.2.168 eq pop3 any
conduit permit tcp host 62.3.2.168 eq conduit permit tcp host 62.3.2.168 eq smtp any
conduit permit tcp host 192.168.3.4 eq ftp any
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 62.3.2.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxx
62.3.2.x - outside addresses (not my actual addresses, just an example)
192.168.3.x - dmz addresses
192.168.2.x - internal addresses
I have a web server at address 192.168.2.2 in the DMZ, and I can see it both from the internet and the internal network, which is what I want. I also have FTP server on the internal network at 192.168.3.4. I basically need the web server to see the FTP server only on port 21. I cannot figure it out for the life of me, but I thought doing the following would work:
static (inside,dmz) 192.168.2.10 192.168.3.4 netmask 255.255.255.255 0 0
conduit permit tcp host 192.168.3.4 eq ftp any
I am also aware that the conduit command is being phased out. However, it's what the original person was using, and I don't know enough to deviate. Below is my entire configuration (IPs and passwords have been changed to protect the innocent ).
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxxxxxx encrypted
passwd xxxxxxx encrypted
hostname pixwall
domain-name cgginc.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no names
pager lines 24
logging timestamp
logging console alerts
logging buffered debugging
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 62.3.2.162 255.255.255.224
ip address inside 192.168.3.1 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 62.3.2.171-62.3.2.189 netmask 255.255.255.224
global (outside) 1 62.3.2.190 netmask 255.255.255.224
global (dmz) 1 192.168.2.10-192.168.2.11 netmask 255.255.255.0
global (dmz) 1 192.168.2.254 netmask 255.255.255.0
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
static (dmz,outside) 62.3.2.163 192.168.2.2 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.164 192.168.2.3 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.165 192.168.2.4 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.166 192.168.2.5 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.167 192.168.2.6 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.168 192.168.2.7 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.169 192.168.2.8 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.170 192.168.2.9 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.2.10 192.168.3.4 netmask 255.255.255.255 0 0
conduit permit tcp host 62.3.2.163 eq smtp any
conduit permit tcp host 62.3.2.163 eq ftp any
conduit permit tcp host 62.3.2.163 eq pop3 any
conduit permit tcp host 62.3.2.163 eq conduit permit tcp host 62.3.2.164 eq conduit permit tcp host 62.3.2.165 eq conduit permit tcp host 62.3.2.165 eq 81 any
conduit permit tcp host 62.3.2.165 eq 5631 any
conduit permit udp host 62.3.2.165 eq 5632 any
conduit permit tcp host 62.3.2.166 eq 81 any
conduit permit tcp host 62.3.2.166 eq conduit permit tcp host 62.3.2.167 eq conduit permit tcp host 62.3.2.167 eq smtp any
conduit permit tcp host 62.3.2.167 eq pop3 any
conduit permit tcp host 62.3.2.167 eq ftp any
conduit permit tcp host 62.3.2.168 eq ftp any
conduit permit tcp host 62.3.2.168 eq pop3 any
conduit permit tcp host 62.3.2.168 eq conduit permit tcp host 62.3.2.168 eq smtp any
conduit permit tcp host 192.168.3.4 eq ftp any
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 62.3.2.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxx