12-26-2006 03:54 PM - edited 03-11-2019 02:12 AM
Hello all:
I am in the initial stages of setting up an FTP server in our network which will need to be accessible from the outside and through our PIX. Is there any tutorial or article that anyone knows about which could guide me through the PIX portion of it to ensure it has the right settings to allow connections through and data to be sent back to clients.
Thanks,
John
12-26-2006 05:29 PM
The common way to allow outsider/internet users to access your FTP server is via this method:
1. Map your internal FTP Server to a dedicated Public IP Address to enable internet users to access your FTP server.
You can either use dedicated public IP (preferred), or use PIX Outside interface IP with port re-direction.
2. Configure/add access-list (ACL) on the PIX Outside interface allowing any or specific external IP to access to your FTP server via its Public IP. T
Example:
Internal FTP Server IP: 10.10.10.10
Public IP: 192.168.100.10
a. Mapping internal FTP Server on Inside segment (same if it's in DMZ)
static (inside, outside) 192.168.100.10 10.10.10.10 netmask 255.255.255.255
b. Create/add ACL & bind to Outside interface
access-list outside-access_in permit icmp any host 192.168.100.10 --> allow PING to test FTPsvr reachability. Remove after the test.
access-list outside-access_in permit tcp any host 192.168.100.10 eq 21
access-list outside-access_in deny ip any any
access-group outside-access_in in interface outside--> bind ACL to Outside interface
* Make sure your PIX set the default route correctly to the Internet router
The return traffic back to clients normally has no issue with PIX as it'll keep the connection/session status in its state table.
You can test the reachability/connectivity between client and server using the above ping (ICMP) test.
PIX's doc on allowing inbound connection:
HTH
AK
12-27-2006 08:15 AM
Matee,
I would add one note to this:
Make sure that application inspection is enabled for FTP.
The command will be: "fixup protocol ftp 21" if you are using PIX OS 6.X.X (http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a8.html#wp1067379) and will be "inspect ftp" if you are using PIX OS 7.X.X (http://www.cisco.com/en/US/products/ps6120/products_command_reference_chapter09186a008063f0e8.html#wp1664935).
This will be needed to make sure that your PIX will allow both Active and passive FTP.
Hope this helps.
Cheers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide