Re: dmz out to internet advice

jeffagray · ‎05-04-2005

I have an FTP server in the dmz from the PIX. This all works great and I have no problems with connectivity. What I want to do is set up a separate network on this ftp server so I can have guest offices connect to the internet without going through our company network.

In order, it goes ftp server -> switch -> dmz port on pix.

I thought I should be be able to add a static route out and it would work. Can anyone point me in the right direction?

Thanks

ehirsel · ‎05-06-2005

How are the guest offices going to connect to your ftp server? Thru a vpn connection to one of your vpn gateways (such as the pix)? You mentioned no issues with connectivity, so I assume that the ftp server is accessable thru the pix, but is that only true for inside devices and not outside ones?

If someone is going to connect to that ftp server via the outside interface then you need to use a static statement to allow that host to be addressable, and you will need to create an access-list and apply it to the outside interface like this:

static (dmz, outside) e.e.e.e i.i.i.i netmask 255.255.255.255, where e.e.e.e is the address of the ftp server as seen by outside hosts, and i.i.i.i is the true ip address

access-list acl_out01 permit tcp any gt 1023 host e.e.e.e eq 21 - note that only the connection to the ftp control port is needed as the pix will add dyanmic entries as it sees the ftp port command flows.

Some helpful URL to aid you in configuring and troubleshooting:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/tsd_products_support_series_home.html - the home page for pix fw software tech support and doc

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_installation_and_configuration_guides_list.html - pix config guide for a variety of sw release levels

Let me know if this of any help.

ehirsel · ‎05-10-2005

Just wondering if my prior post was of help to you. Let me know if you have any questions.