Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
954
Views
0
Helpful
4
Replies

PIX 515E DMZ -> inside issue

jstary
Level 1
Level 1

‎07-31-2002 12:37 PM - edited ‎02-20-2020 10:11 PM

I have a web server inside a DMZ and an FTP server on the inside interface...and I can't get the web server to connect to the FTP server. My config is:

ip address outside 62.3.2.162 255.255.255.224

ip address inside 192.168.3.1 255.255.255.0

ip address dmz 192.168.2.1 255.255.255.0

global (outside) 1 62.3.2.171-62.3.2.189 netmask 255.255.255.224

global (outside) 1 62.3.2.190 netmask 255.255.255.224

global (dmz) 1 192.168.2.10-192.168.2.11 netmask 255.255.255.0

global (dmz) 1 192.168.2.254 netmask 255.255.255.0

nat (inside) 1 192.168.3.0 255.255.255.0 0 0

static (inside,dmz) 192.168.2.10 192.168.3.4 netmask 255.255.255.255 0 0

conduit permit tcp host 192.168.3.4 eq ftp any

The web server is on the DMZ at address 192.168.2.10 and the FTP server is on the inside interface at 192.168.3.4. I figured if I had setup the static between them, and then a conduit to allow traffic on the ftp port, everything should be fine. Well, it just doesn't work. Any assistance would be greatly appreciated (aside from "use ACLs instead").

0 Helpful
4 Replies 4

edadios
Cisco Employee
Cisco Employee

‎07-31-2002 03:41 PM

Your global (dmz) 1 pool overlaps the static (inside,dmz).

Actually, the pix global pool is in conflict with the address of the server itself 192.168.2.10.

The pix would think it owns that ip address. So remove the .10 from the pool.

Regards,

0 Helpful

jstary
Level 1
Level 1
In response to edadios

‎08-01-2002 06:34 AM

Actually that line was removed already. It was just something I had tried. Sorry for the confusion. And someone also told me that I don't need a static to go from the DMZ IP to the inside IP, so I removed my attempts to use static and instead focused solely on using a conduit. I tried both of the following:

conduit permit tcp host 192.168.3.4 eq ftp host 192.168.2.10

conduit permit tcp host 192.168.3.4 host 192.168.2.10

To try and open an FTP path with no luck. I posted my full config here:

http://hx009.dyndns.org/config.txt

Any other assistance you can provide would be greatly appreciated.

0 Helpful

edadios
Cisco Employee
Cisco Employee
In response to jstary

‎08-01-2002 03:24 PM

Do this on config mode.

static (inside,dmz) 192.168.2.10 192.168.3.4

conduit permit tcp host 192.168.3.4 eq ftp host 192.168.2.10

conduit permit tcp host 192.168.3.4 host 192.168.2.10

clear xlate

Then try again.

Regards,

0 Helpful

m.mcconnell
Level 1
Level 1
In response to edadios

‎08-02-2002 08:53 AM

Actually the static should read like this:

static (inside, dmz) 192.168.3.4 192.168.3.4

This turns off NAT for the inside FTP server.

Then the fftp conduit would point to the 192.168.3.4 IP address.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card