02-05-2003 02:02 PM - edited 02-20-2020 10:32 PM
Hi everyone. I've installed a Cisco PIX 515E firewall and everything was perfect. Suddenly, I found that I am not able to download anything from FTP sites in my inside network (I was able to when I first installed it and I didn't change anything). I have an ISA server behind my firewall. If I disable the proxy settings from an inside workstation the download works fine. Is it possible that there is some problem when we connect the PIX to ISA? I had the ISA before the PIX and everything was working fine. On the ISA server itself I can download anything I want. The PIX is the gateway for the ISA server. I tried using the "no fixup protocol ftp 21" but didn't get any results. By the way I haven't used the DMZ yet (my mail server is curently in the inside part).
Please advice me. Below are the headlines of the configuration. Thanks.
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol ftp 21
access-list smtp permit tcp any host <inside_mail_server_ip_address> eq smtp
global (outside) 1 <global_ip_address> netmask x.x.x.x
global (dmz) 1 z.z.z.z
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) <global_ip_address> <ISA_server_local_ip> netmask 255.255.255.255 0
0
static (inside,dmz) z.z.z.z <ISA_server_local_IP> netmask 255.255.255.255 0 0
access-group smtp in interface outside
route outside 0.0.0.0 0.0.0.0 <router_ip_address> 1
02-14-2003 07:57 AM
Check your access list and see if you are permitting FTP traffic.
02-14-2003 10:12 AM
Hello. The only access-list I am using is the one permitting smtp traffic to go inside to the mail server, it is shown in the posted configuration and it is working fine. Do I have to put an access-list to permit FTP traffic to the ISA server? If yes what ports should I use else than port 21? Do I make the destination of the access-list the ISA server? Thanks.
02-14-2003 11:38 AM
If you are using of using 'no fixup protocol ftp 21' You are running into troubles.
Instead set this command to 'fixup protocol ftp 21'
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/df.htm#1067379
Also You could rename 'access-list smtp' to something less confusing like 'access-list outside_access'
and apply it to the outside interface with:
access-group outside_access in interface outside
access-list outside_access permit tcp any host <
access-group smtp in interface outside
static (interface of your isa server, outside)
Mike
02-14-2003 11:39 AM
Sorry I made a mistake on prev msg
Access-list sould be
access-list outside_access permit tcp any host <
02-15-2003 12:40 PM
HI.
> tried using the "no fixup protocol ftp 21"
This is wrong.
You should enable the fixup protocol ftp command because this command instructs the pix to monitor the ftp sessions, and open additional ports as needed for the data session.
You should try using syslog messages at the pix (I recommend starting with level 4 warnings), and see if the traffic is blocked at the pix or not.
> If I disable the proxy settings from an inside workstation the download works fine...
So the problem might be related to the ISA proxy configuration and not to the pix.
Check the ISA server event logs.
The problems might also be related to the following articles, but I would check the ISA proxy configuration first:
http://www.cisco.com/warp/public/110/2.html
http://www.cisco.com/warp/public/110/21.html
Bye
Yizhar Hurwitz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide