topic Re: FTP behind a PIX 501 in Network Security

FTP behind a PIX 501

wilsonargroup — Mon, 11 Mar 2019 10:35:41 GMT

The answer to my problem is probably hidden among the hundreds of discussions already posted, so I apologize for my lack of experience/knowledge of networking, servers and all that.

I'm having several problems and all appear to point to the configuration of my PIX 501. Let's deal with this one first...Using Windows SBS 2003, I have set up an FTP site for my company. It works great internally, but no one outside of the company can access the file(s) that I want them to. I am aware that Port 21 needs to be open for FTP and I'm pretty sure that it's enabled.

If this isn't enough information, please let me know so I can provide more details.

Re: FTP behind a PIX 501

acomiskey — Tue, 26 Jun 2007 12:44:48 GMT

That's almost enough information. I assume they are attempting to access it via a public ip address or the outside address of your pix? If you want to, post a config, minus passwords etc. Let us know the inside ftp server address and the address outside users will use to access it.

Re: FTP behind a PIX 501

wilsonargroup — Tue, 26 Jun 2007 12:58:18 GMT

Thanks for the response. I'll paste the config at the bottom of this response. More questions though...I think your response has raised the question of whether I actually have the site set up properly. The inside address is 10.0.0.2. I wasn't aware that the outside users required an address. Can you help me with that issue?? Here's the PIX config:

Building configuration...

: Saved

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password (.........)encrypted

passwd (.........)encrypted

hostname pixfirewall

domain-name wilsonargroup.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inbound permit tcp any host 65.65.172.58 eq www

access-list inbound permit tcp any host 65.65.172.58 eq smtp

access-list inbound permit icmp any any echo-reply

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 65.65.172.57 255.255.255.248

ip address inside 10.0.0.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.0.0.2 255.255.255.255 inside

pdm location 206.126.51.0 255.255.255.192 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 65.65.172.58 www 10.0.0.2 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 65.65.172.58 smtp 10.0.0.2 smtp netmask 255.255.255.255 0 0

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 65.65.172.62 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 206.126.51.0 255.255.255.192 outside

http 10.0.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.0.0.0 255.255.0.0 inside

telnet timeout 5

ssh 206.x.x.0 255.255.255.192 outside

ssh timeout 5

console timeout 0

username admin password (......)

encrypted privilege 15

terminal width 80

Cryptochecksum:xxx

: end

[OK]

Re: FTP behind a PIX 501

acomiskey — Tue, 26 Jun 2007 13:02:30 GMT

User's on the outside will not be able to access ftp://10.0.0.2 as that is not a routable internet address.

This will work for ftp the same as it is now working for your www and smtp servers. They are accessed via 65.65.172.58.

So, if you wanted to do ftp://65.65.172.58, you would need to add...

access-list inbound permit tcp any host 65.65.172.58 eq ftp

static (inside,outside) tcp 65.65.172.58 ftp 10.0.0.2 ftp netmask 255.255.255.255 0 0

Does that help?

Re: FTP behind a PIX 501

wilsonargroup — Tue, 26 Jun 2007 13:19:42 GMT

Great! I'll have to figure out how to add the line, but I'm sure I can figure it out. I'm new to this Admin role. I was sort of drafted into it a few months ago. I'll do another post if I have any problems.

Thanks for all of your help.

Re: FTP behind a PIX 501

wilsonargroup — Tue, 26 Jun 2007 13:50:17 GMT

Okay. It's a bit more complicated than I thought. I found the *.txt file and made the changes per your suggestion. I saved the file, but it hasn't changed on the PIX. Does something need to be rebooted??

Re: FTP behind a PIX 501

acomiskey — Tue, 26 Jun 2007 14:04:00 GMT

What .txt file?

How did you get the config out of the firewall? Are you connected to the console port?

Re: FTP behind a PIX 501

wilsonargroup — Tue, 26 Jun 2007 14:08:09 GMT

All of our equipment was set up by an outside vendor. After the sale, they abandoned me. I've been digging around in the system to figure out most stuff on my own.

The installer left a text file on the server and I assumed that was where the PIX got it's information. Just digging a bit more, I found that not to be true. I sent you the copy that he left on the machine. Just a few moments ago, I viewed the actual file, but I don't know how to add the lines now.

Re: FTP behind a PIX 501

acomiskey — Tue, 26 Jun 2007 14:15:02 GMT

You should be able to telnet to the inside address from a machine on the 10.0.0.0 network.

1. telnet 10.0.0.1

2. login

pixfirewall > en

Password: ******* (enable password here)

pixfirewall # config t

pixfirewall(config) # access-list inbound permit tcp any host 65.65.172.58 eq ftp

pixfirewall(config) # static (inside,outside) tcp 65.65.172.58 ftp 10.0.0.2 ftp netmask 255.255.255.255 0 0

pixfirewall(config) # exit

pixfirewall # wr mem

pixfirewall # exit

Please rate if these help.

Re: FTP behind a PIX 501

wilsonargroup — Tue, 26 Jun 2007 16:18:33 GMT

I made a couple of errors. The original config that I sent was apparently wrong. I'm resending an excerpt from the correct config with the changes that you suggested. Note that one line

"static (inside,outside) tcp 65.65.172.58 ftp 10.0.0.2 ftp netmask 255.255.255.255 0 0"

has the IP address as 65.65.172.58 (my goof). I believe it should have been 65.65.172.57. Is it possible to change that one line? If so, how?

object-group service wag tcp

port-object eq telnet

port-object eq www

port-object eq https

port-object eq smtp

access-list inbound permit icmp any any echo-reply

access-list inbound permit tcp any host 65.65.172.57 eq www

access-list inbound permit tcp any host 65.65.172.57 eq https

access-list inbound permit tcp any host 65.65.172.57 eq smtp

access-list inbound permit tcp any host 65.65.172.57 eq ftp

access-list inside_outbound_nat0_acl permit ip any 192.168.99.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip any 192.168.99.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 65.65.172.58 255.255.255.248

ip address inside 10.0.0.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpn_pool 192.168.99.1-192.168.99.254

pdm location 10.0.0.2 255.255.255.255 inside

pdm location 206.126.51.0 255.255.255.192 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 65.65.172.57

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp 65.65.172.57 www 10.0.0.2 www netmask 255.255.255.255 0 0

static (inside,outside) tcp 65.65.172.57 https 10.0.0.2 https netmask 255.255.255.255 0 0

static (inside,outside) tcp 65.65.172.57 smtp 10.0.0.2 smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp 65.65.172.58 ftp 10.0.0.2 ftp netmask 255.255.255.255 0 0

access-group inbound in interface outside

Re: FTP behind a PIX 501

acomiskey — Tue, 26 Jun 2007 16:28:30 GMT

pixfirewall(config) # no static (inside,outside) tcp 65.65.172.58 ftp 10.0.0.2 ftp netmask 255.255.255.255

pixfirewall(config) # static (inside,outside) tcp 65.65.172.57 ftp 10.0.0.2 ftp netmask 255.255.255.255

Re: FTP behind a PIX 501

wilsonargroup — Tue, 26 Jun 2007 17:35:48 GMT

I've gotten this all done, but still can't access my FTP site. I'm about to start all over again with creating a new site. I welcome any other ideas or suggestions.

Re: FTP behind a PIX 501

acomiskey — Tue, 26 Jun 2007 17:38:47 GMT

Um, it does work. Are you sure you tried ftp 65.65.172.57 from OUTSIDE, not from inside?

If you are trying from inside the pix you need to do ftp 10.0.0.2.

Re: FTP behind a PIX 501

wilsonargroup — Tue, 26 Jun 2007 17:46:29 GMT

Well...I'm going by what my test person told me. Let me have them try again.

Re: FTP behind a PIX 501

wilsonargroup — Tue, 26 Jun 2007 17:55:06 GMT

Well, again my person says that all he see's is a blank page. It said it was getting contents of the folder, but nothing ever happens. As a matter of fact, when I key in ftp://65.65.172.57, all I get is that blank page. Are you actually able to see the file that I have in that directory?

Re: FTP behind a PIX 501

acomiskey — Tue, 26 Jun 2007 18:00:26 GMT

If you have them open a command prompt and type

C:\>ftp 65.65.172.57

They will be prompted for Username and password.(this means that the pix is working)

If you do this via the web browser, ftp://65.65.172.57, go up to File and select "login as".

Re: FTP behind a PIX 501

wilsonargroup — Thu, 28 Jun 2007 12:21:48 GMT

I forgot to post that my FTP problem has been resolved. Thanks for all the time you spent helping/teaching me how to configure my PIX.

Re: FTP behind a PIX 501

acomiskey — Thu, 28 Jun 2007 12:30:52 GMT

wilsonargroup, glad it worked out, please check that not just anyone can access your ftp site and files.

Re: FTP behind a PIX 501

wilsonargroup — Thu, 28 Jun 2007 12:50:25 GMT

Well, that's what I'm researching now. Currently, anyone who knows the URL has access to the files.