04-24-2005 08:09 AM - edited 03-09-2019 11:02 AM
I have a customer who just installed a PIX 515E (R). He has a FTP server in the DMZ which can be accssed from outside(internet). I have configured the PIX with the neccessary nat, global and static commands to allow access to the FTP server. It does not work.
The strange thing is that similar configuration works when the FTP server is moved to the inside network. What am I doing wrong
04-24-2005 08:35 AM
Have you done a "clear xlate" after you changed, added the static?
Take care the clear xlate will reset all connections !
Please post your config, without public IPs so that we can check if everything is ok !
sincerely
Patrick
04-26-2005 01:24 PM
Hi Patrick
Thanks. will try the clear xlate command
I do not have the config file with me, but here are the relevant commands
ip address outside x.x.x.130 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip address dmz 10.154.4.100 255.255.255.0
The ftp server is in the dmz with ip address 10.154.4.6 and can be accessed from outside (internet) via router with ip x.x.x.129
global (outside) 1 interface
nat (inside) 1 0.0.0.0. 0.0.0.0 0 0
global (dmz) 1 10.154.4.0-10.154.4.50
static ( dmz,outside) x.x.x.131 10.154.4.6 dns netmask 255.255.255.255 0 0
access-list outside_access-in permit tcp any host x.x.x.131 eq ftp
access-group outside_access_in in interface outside
route outside 0.0.0.0. 0.0.0.0 x.x.x.129 1
I hope this is enough to troubleshoot
Let me know if you need any more info
Regards
Nanik
04-26-2005 04:42 PM
Hi Nanik,
1.) There is an error in the static command this will not work with the DNS statement in it !!
# Remove the stastic
no static ( dmz,outside) x.x.x.131 10.154.4.6 dns
netmask 255.255.255.255 0 0
Syntax:
static (dmz,outside) FTP-Public FTP-DMZ netmask 255.255.255.255
# Add the modified static
static ( dmz,outside) x.x.x.131 10.154.4.6 netmask 255.255.255.255
clear xlate
And then it should ROCK !
2.) The dns statement in the static is there to change dns replys from inside hosts that are trying toi access your DMZ webserver on this public IP. The DNS reply with then answer with its internal private IP.
This just works if your DNS server is on the internet.
example:
static (inside,outside) x.x.x.131 10.154.4.6 dns
3.) Disable NAT from the inside to the dmz network:
static (inside,dmz) Inside-Network Inside-Network netmask 255.255.255.0
sincerely
Patrick
05-08-2005 08:09 AM
Hi Patrick,
Thanks for your help. The issue was finally resolved by changing default gateway settings on the FTP server.
I have another question. This customer has two ways of getting onto the internet. One on the outside interface and one on the dmz interface. He wants to configure certain workstations ( inside network) on the outside internet and the remaining ( inside network) on the dmz internet.
Outside internet works fine with the default gateway on the PC's pointing to the inside interface of the PIX. How do I get the other PC's to get onto the internet on the dmz interface
Thanks in advance
Nanik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide