02-15-2004 10:08 PM - edited 03-09-2019 06:25 AM
All our users internally connect to the internet through the pix 515e firewall.
I've setup a ftp server on ip 192.168.0.49 and already configured the PIX for access. Users inside the office use the ip of 192.168.0.49 for access to the ftp site while users outside use the domain ftp.mmg-me.com to access the site.
The domain ftp.mmg-me.com is linked to our public ip.
The problem is users inside can only use the internal ip mentioned above. IF they try to connect to the ftp via the domain ftp.mmg-me.com, it always times out. Hence, how can I config the firewall to let users inside use the domain name to connect to the ftp?
This was the command I issued to configure the firewall for ftp access:
static (inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp netmask 255.255.255.0 0 0
Solved! Go to Solution.
02-15-2004 10:33 PM
Hello,
You have couple of options here -
-If you want to alias command then your syntax should be as follows:
alias(inside) 192.168.0.49 80.227.104.242 255.255.255.255
-If you are running PIX 6.2 or above, my suggestion would be to edit your existing static with "dns" keyword added as follows -
static (inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp dns netmask 255.255.255.0
Thanks,
Mynul
02-15-2004 10:17 PM
Found some info on Cisco's site itself - after a lot of searching.
http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml#int
It seems I have to use the alias command.
Internal ip = 192.168.0.49
External ip = 80.227.104.242
Hence the alias command should be:
alias(inside) 80.227.104.242 192.168.0.49 255.255.255.255
Can someone correct me please?
Thanks.
CD
02-15-2004 10:33 PM
Hello,
You have couple of options here -
-If you want to alias command then your syntax should be as follows:
alias(inside) 192.168.0.49 80.227.104.242 255.255.255.255
-If you are running PIX 6.2 or above, my suggestion would be to edit your existing static with "dns" keyword added as follows -
static (inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp dns netmask 255.255.255.0
Thanks,
Mynul
02-15-2004 10:47 PM
Hi,
Yes I infact have pix version 6.3
If I do edit my existing static line, can people still access the ftp by the internal ip?
I would like to have it setup so people can either use the internal ip or external ip.
Thank you very much.
CD
p.s. How do I edit a line - is there a specific command?
02-16-2004 01:43 AM
Also does it matter if the 0 0 is not there at the end
static (inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp dns netmask 255.255.255.0
compared to my original
static (inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp netmask 255.255.255.0 0 0
02-16-2004 09:30 AM
Hi,
>Also does it matter if the 0 0 is not there at the end
Depends on your requirement. If you don't put it while configuring, then it will apply the default.
Thanks,
Mynul
02-16-2004 09:28 AM
Hello,
My answers are inline-
>If I do edit my existing static line, can people still access the ftp by the internal ip?
Yes, they will be able to use internal ip as well.
>How do I edit a line - is there a specific command?
Go to "config t" then execute "show static" and then copy and paste your existing static, just add "no" in front of your static stmt. then add the static provided earlier.
Thanks,
Mynul
02-16-2004 09:32 PM
Hi Mynul,
I replaced the static statement with this:
static (inside,outside) tcp 80.227.104.242 ftp 192.168.0.49 ftp dns netmask 255.255.255.255 0 0
Still I cannot connect from within the office to the ftp ip of 80.227.104.242.
02-17-2004 09:02 AM
Hi Sunil,
You will not be able to connect with the public ip as both of your server and client is on inside. If server were in dmz and tweaking the static a bit would help. Since, PIX cannot route the packet back from the same interaface it receives the packet, this is not possible with public ip. However, you should be able to connect to the server using the domain name of the FTP server, as when DNS query makes thru the firewall, it will perform DNS doctoring, which will replace the public ip with private so the client would always get the private ip. If it doesn't work with the dns name, then perfomr an nslookup on the name and see if you get the private ip or not.
Pl. let me know the outcome. thanks,
Mynul
02-22-2004 04:13 AM
Mhoda:
Your alias command worked. I double checked it with a user over at www.expert-exchange.com and it is the right one:
http://www.experts-exchange.com/Security/Firewalls/Q_20885991.html
Thanks for all your help.
CD
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide