Solved: Re: pix 501 allowing access to ftp server

dagesh4 · ‎05-19-2004

Hi there

We have a pix 501 and one public ip address , I would like to access an ftp server on the internal network from the outside. I tried to configure it from the pdm by making a static nat which translate the ftp server address to the public address but then none of the network stations could go out - how should I configure it?

I would also like to know which ports should I open on the acl to allow access to the ftp server.

Thanks , Dagesh

micah · ‎05-20-2004

Yes, sorry... You need to use the host command for single addresses. Is the access-list applied to your outside interface?

for my example the command would be:

access-group acl_out in interface outside

Also, can you connect to the ftp server locally behind the firewall?

View solution in original post

micah · ‎05-19-2004

Below is an example syntax you can use to get this working.

static (inside,outside) tcp interface ftp 192.168.1.1 ftp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface ftp-data 192.168.1.1 ftp-data netmask 255.255.255.255 0 0

access-list acl_out permit tcp any x.x.x.x eq ftp

access-list acl_out permit tcp any x.x.x.x eq ftp-data

replace x.x.x.x with your static public ip or if it changes just make it any

dagesh4 · ‎05-19-2004

Thanks for the reply.

I wrote theses commands but when I wrote the acl command I got an error stating that the ip address is incorrect , so I wrote HOST before the ip and it worked but I still can't get access to the ftp server from the outside.

P.S: I forgot to mention that the pix is connected directly to adsl modem.

micah · ‎05-20-2004

Yes, sorry... You need to use the host command for single addresses. Is the access-list applied to your outside interface?

for my example the command would be:

access-group acl_out in interface outside

Also, can you connect to the ftp server locally behind the firewall?

dagesh4 · ‎05-20-2004

Thanks a lot ,it worked