Re: PIX 515 case

paltel · ‎08-23-2005

i have PIX 515 firewall, i have the following problem:

consider the following:

inside interface: 1.1.1.1/24

DMZ interface: 2.2.2.1/24

outside interface: 3.3.3.1/24

Access-list 10 applied at the inside interface.

access-list 6 applied at the DMZ interface.

Access-list 2 applied at the outside interface.

access-list 10 permit tcp any host 2.2.2.100 eq ftp

for example:

client IP address 1.1.1.100 (inside)

Client IP address 3.3.3.100 (outside)

......

access-list 2 permit tcp any host 2.2.2.100 eq ftp

(ALL Inbound)

Any client from the inside subnet who try to connect through the firewall to FTP Server (2.2.2.100) failed and the windows reason is "FTP Folder error: An error occured opening that folder on the FTP server make sure you have permission to access that folder.

Details:

200 Type set to A.

200 port command successful

425 can't build data connection: connection refused

"

i do the following to solve this problem, i place this entry at the access-list 6 (applied at the DMZ interface inbound)

access-list 6 permit ip host 2.2.2.100 host 1.1.1.100.

and also see these two commands applied:

fixup protocol ftp 20

fixup protocol ftp 21

meanwhile the traffic from the outside client can access this DMZ server without any problem and without any permit entry at the DMZ interface like "access-list 6 permit ip host 2.2.2.100 host 3.3.3.100"

Please i need your help!

spvaidya · ‎08-29-2005

Can you do Couple of test to confirm your problem,

1) Open the IP stack for the Host.(try Ftp)

2) Can you do ftp within the same segment ( Hope you might have done this).

3) Confirm the NAT for both these interfaces.