How to configure a Cisco Pix 501 (version 6.3) firewall to allow large backups to remote server?

kwhitney3 · ‎04-01-2013

Do you use a exclude command? aaa authentication? permit? or .....? not sure? port 21 is used for ftp and this is how the files will be sent to the remote server. So allow certain programs to access this port, that will be doing the backups? Or create a trusted list of programs that bypass the firewall?

Command line interface

Jennifer Halim · ‎04-01-2013

If you just want to allow FTP for the backup to remote server, then you just have to configure access-list on TCP/21 to allow it through (assuming that you do have access-list applied to the interface). I also assume that fixup for ftp has already been allowed?

kwhitney3 · ‎04-03-2013

Thanks for your answer.

I havn't done anything to this firewall to set it up yet. This will be a first for me setting something like this up.

Steps:

First apply an access-list to the interface,

Second, configure port tcp/21 to allow large data to be sent through.

Allow fixup

Commands:

access-list acl_out permit tcp any host 209.165.201.1 eq ftp

fixup protocol ftp 21

Am I in the ballpark with these commands?

Jennifer Halim · ‎04-03-2013

Can you please share your current firewall config to help further. If you have existing ACL in place then you would need to use the same name.

If you can also advise what is the IP Address of the local host and remote server for the FTP connection, that would be great.

Basically, depending on whether the connection is inbound or outbound and if you already have any ACL configured on the PIX, then the config might be different. Fixup protocol for ftp should already been enabled by default unless it was turned off.

kwhitney3 · ‎04-03-2013

PIX Version 6.3(5)

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name server

object-group service SErverRDP tcp

port-object range 3389 3389

port-object range https https

port-object range www www

object-group service server tcp-udp

port-object range 443 443

port-object range www www

access-list PIXACL permit tcp any any range 1100 1110

access-list PIXACL permit tcp any any range 1500 2700

access-list PIXACL permit tcp any any eq 14000

access-list PIXACL permit tcp host server any eq ftp

access-list PIXACL permit tcp host server any eq pptp

access-list PIXACL permit tcp any any eq www

access-list PIXACL permit tcp any any eq https

access-list PIXACL permit tcp any any eq pop3

access-list PIXACL permit tcp any any eq smtp

access-list PIXACL permit tcp any any eq domain

access-list PIXACL permit udp any any eq domain

access-list PIXACL permit tcp any any eq 5003

access-list PIXACL permit udp any any eq 5003

access-list PIXACL deny ip any any

access-list PIXACL deny tcp any any eq 0

access-list PIXACL deny udp any any eq 0

access-list support permit tcp 207.225.171.64 255.255.255.224 host 70.56.43.43 e

q 3389

access-list support permit tcp 207.225.171.64 255.255.255.224 host 70.56.43.43 e

q pcanywhere-data

access-list support permit udp 207.225.171.64 255.255.255.224 host 70.56.43.43 e

q pcanywhere-status

access-list support permit tcp 216.142.180.0 255.255.255.0 host 70.56.43.43 eq p

canywhere-data

access-list support permit udp 216.142.180.0 255.255.255.0 host 70.56.43.43 eq p

canywhere-status

access-list support permit tcp 216.142.180.0 255.255.255.0 host 70.56.43.43 eq 3

389

access-list support deny ip any any

access-list support deny tcp any any eq 0

access-list support deny udp any any eq 0

pager lines 24

logging on

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm location 65.122.12.0 255.255.254.0 outside

pdm location server 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 70.56.43.44

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) server netmask 255.255.255.255 0 255

access-group support in interface outside

access-group PIXACL in interface inside

route outside 0.0.0.0 0.0.0.0

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

: end

[OK]

I am using amazon s3 for the backup site

Jennifer Halim · ‎04-03-2013

Base on your current config, if you are trying to FTP from "server" towards amazon s3, then that FTP traffic has been configured to allow that access.

kwhitney3 · ‎04-05-2013

Thank you for your help.

I will try to run this operation today and see if it was user error on the first try.