Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Trouble getting from dmz to internal on PIX 515E

Status
Not open for further replies.
hx009

hx009

Programmer
Jul 24, 2002
3
0
0
US
I'm a complete newbie when it comes to configuring a Cisco PIX and have been trying to figure this problem out for days. Basically, the network is setup like:

62.3.2.x - outside addresses (not my actual addresses, just an example)
192.168.3.x - dmz addresses
192.168.2.x - internal addresses

I have a web server at address 192.168.2.2 in the DMZ, and I can see it both from the internet and the internal network, which is what I want. I also have FTP server on the internal network at 192.168.3.4. I basically need the web server to see the FTP server only on port 21. I cannot figure it out for the life of me, but I thought doing the following would work:

static (inside,dmz) 192.168.2.10 192.168.3.4 netmask 255.255.255.255 0 0
conduit permit tcp host 192.168.3.4 eq ftp any

I am also aware that the conduit command is being phased out. However, it's what the original person was using, and I don't know enough to deviate. Below is my entire configuration (IPs and passwords have been changed to protect the innocent :) ).

PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password xxxxxxx encrypted
passwd xxxxxxx encrypted
hostname pixwall
domain-name cgginc.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no names
pager lines 24
logging timestamp
logging console alerts
logging buffered debugging
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 62.3.2.162 255.255.255.224
ip address inside 192.168.3.1 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 62.3.2.171-62.3.2.189 netmask 255.255.255.224
global (outside) 1 62.3.2.190 netmask 255.255.255.224
global (dmz) 1 192.168.2.10-192.168.2.11 netmask 255.255.255.0
global (dmz) 1 192.168.2.254 netmask 255.255.255.0
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
static (dmz,outside) 62.3.2.163 192.168.2.2 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.164 192.168.2.3 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.165 192.168.2.4 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.166 192.168.2.5 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.167 192.168.2.6 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.168 192.168.2.7 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.169 192.168.2.8 netmask 255.255.255.255 0 0
static (dmz,outside) 62.3.2.170 192.168.2.9 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.2.10 192.168.3.4 netmask 255.255.255.255 0 0
conduit permit tcp host 62.3.2.163 eq smtp any
conduit permit tcp host 62.3.2.163 eq ftp any
conduit permit tcp host 62.3.2.163 eq pop3 any
conduit permit tcp host 62.3.2.163 eq conduit permit tcp host 62.3.2.164 eq conduit permit tcp host 62.3.2.165 eq conduit permit tcp host 62.3.2.165 eq 81 any
conduit permit tcp host 62.3.2.165 eq 5631 any
conduit permit udp host 62.3.2.165 eq 5632 any
conduit permit tcp host 62.3.2.166 eq 81 any
conduit permit tcp host 62.3.2.166 eq conduit permit tcp host 62.3.2.167 eq conduit permit tcp host 62.3.2.167 eq smtp any
conduit permit tcp host 62.3.2.167 eq pop3 any
conduit permit tcp host 62.3.2.167 eq ftp any
conduit permit tcp host 62.3.2.168 eq ftp any
conduit permit tcp host 62.3.2.168 eq pop3 any
conduit permit tcp host 62.3.2.168 eq conduit permit tcp host 62.3.2.168 eq smtp any
conduit permit tcp host 192.168.3.4 eq ftp any
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 62.3.2.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxx
 
Sort by date Sort by votes
HI.

* This is OK:
static (inside,dmz) 192.168.2.10 192.168.3.4 netmask 255.255.255.255 0 0

* This is not:
conduit permit tcp host 192.168.3.4 eq ftp any

The correct syntax is:
conduit permit tcp host 192.168.2.10 eq ftp host 192.168.2.2


* You should try not to allow traffic initiated from the dmz to the inside network for obvious security reasons.
You should plan for a better solution.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
148
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
149
Johnkite
Johnkite
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
99
hairlessupportmonkey
hairlessupportmonkey
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
125
nnaarrnn
nnaarrnn
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
55
kythri
kythri

Part and Inventory Search

Sponsor

Back
Top