cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1300
Views
0
Helpful
9
Replies

FTP server access configuration help

clinthammer
Level 1
Level 1

All our users internally connect to the internet through the pix 515e firewall.

I've setup a ftp server on ip 192.168.0.49 and already configured the PIX for access. Users inside the office use the ip of 192.168.0.49 for access to the ftp site while users outside use the domain ftp.mmg-me.com to access the site.

The domain ftp.mmg-me.com is linked to our public ip.

The problem is users inside can only use the internal ip mentioned above. IF they try to connect to the ftp via the domain ftp.mmg-me.com, it always times out. Hence, how can I config the firewall to let users inside use the domain name to connect to the ftp?

This was the command I issued to configure the firewall for ftp access:

static (inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp netmask 255.255.255.0 0 0

1 Accepted Solution

Accepted Solutions

Hello,

You have couple of options here -

-If you want to alias command then your syntax should be as follows:

alias(inside) 192.168.0.49 80.227.104.242 255.255.255.255

-If you are running PIX 6.2 or above, my suggestion would be to edit your existing static with "dns" keyword added as follows -

static (inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp dns netmask 255.255.255.0

Thanks,

Mynul

View solution in original post

9 Replies 9

clinthammer
Level 1
Level 1

Found some info on Cisco's site itself - after a lot of searching.

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml#int

It seems I have to use the alias command.

Internal ip = 192.168.0.49

External ip = 80.227.104.242

Hence the alias command should be:

alias(inside) 80.227.104.242 192.168.0.49 255.255.255.255

Can someone correct me please?

Thanks.

CD

Hello,

You have couple of options here -

-If you want to alias command then your syntax should be as follows:

alias(inside) 192.168.0.49 80.227.104.242 255.255.255.255

-If you are running PIX 6.2 or above, my suggestion would be to edit your existing static with "dns" keyword added as follows -

static (inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp dns netmask 255.255.255.0

Thanks,

Mynul

Hi,

Yes I infact have pix version 6.3

If I do edit my existing static line, can people still access the ftp by the internal ip?

I would like to have it setup so people can either use the internal ip or external ip.

Thank you very much.

CD

p.s. How do I edit a line - is there a specific command?

Also does it matter if the 0 0 is not there at the end

static (inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp dns netmask 255.255.255.0

compared to my original

static (inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp netmask 255.255.255.0 0 0

Hi,

>Also does it matter if the 0 0 is not there at the end

Depends on your requirement. If you don't put it while configuring, then it will apply the default.

Thanks,

Mynul

Hello,

My answers are inline-

>If I do edit my existing static line, can people still access the ftp by the internal ip?

Yes, they will be able to use internal ip as well.

>How do I edit a line - is there a specific command?

Go to "config t" then execute "show static" and then copy and paste your existing static, just add "no" in front of your static stmt. then add the static provided earlier.

Thanks,

Mynul

Hi Mynul,

I replaced the static statement with this:

static (inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp dns netmask 255.255.255.255 0 0

Still I cannot connect from within the office to the ftp ip of 80.227.104.242.

Hi Sunil,

You will not be able to connect with the public ip as both of your server and client is on inside. If server were in dmz and tweaking the static a bit would help. Since, PIX cannot route the packet back from the same interaface it receives the packet, this is not possible with public ip. However, you should be able to connect to the server using the domain name of the FTP server, as when DNS query makes thru the firewall, it will perform DNS doctoring, which will replace the public ip with private so the client would always get the private ip. If it doesn't work with the dns name, then perfomr an nslookup on the name and see if you get the private ip or not.

Pl. let me know the outcome. thanks,

Mynul

Mhoda:

Your alias command worked. I double checked it with a user over at www.expert-exchange.com and it is the right one:

http://www.experts-exchange.com/Security/Firewalls/Q_20885991.html

Thanks for all your help.

CD