Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
704
Views
0
Helpful
4
Replies

FTP server in DMZ

n.chandiramani
Level 1
Level 1

‎04-24-2005 08:09 AM - edited ‎03-09-2019 11:02 AM

I have a customer who just installed a PIX 515E (R). He has a FTP server in the DMZ which can be accssed from outside(internet). I have configured the PIX with the neccessary nat, global and static commands to allow access to the FTP server. It does not work.

The strange thing is that similar configuration works when the FTP server is moved to the inside network. What am I doing wrong

Labels:
0 Helpful
4 Replies 4

Patrick Iseli
Level 7
Level 7

‎04-24-2005 08:35 AM

Have you done a "clear xlate" after you changed, added the static?

Take care the clear xlate will reset all connections !

Please post your config, without public IPs so that we can check if everything is ok !

sincerely

Patrick

0 Helpful

n.chandiramani
Level 1
Level 1
In response to Patrick Iseli

‎04-26-2005 01:24 PM

Hi Patrick

Thanks. will try the clear xlate command

I do not have the config file with me, but here are the relevant commands

ip address outside x.x.x.130 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip address dmz 10.154.4.100 255.255.255.0

The ftp server is in the dmz with ip address 10.154.4.6 and can be accessed from outside (internet) via router with ip x.x.x.129

global (outside) 1 interface

nat (inside) 1 0.0.0.0. 0.0.0.0 0 0

global (dmz) 1 10.154.4.0-10.154.4.50

static ( dmz,outside) x.x.x.131 10.154.4.6 dns netmask 255.255.255.255 0 0

access-list outside_access-in permit tcp any host x.x.x.131 eq ftp

access-group outside_access_in in interface outside

route outside 0.0.0.0. 0.0.0.0 x.x.x.129 1

I hope this is enough to troubleshoot

Let me know if you need any more info

Regards

Nanik

0 Helpful

Patrick Iseli
Level 7
Level 7
In response to n.chandiramani

‎04-26-2005 04:42 PM

Hi Nanik,

1.) There is an error in the static command this will not work with the DNS statement in it !!

# Remove the stastic

no static ( dmz,outside) x.x.x.131 10.154.4.6 dns

netmask 255.255.255.255 0 0

Syntax:

static (dmz,outside) FTP-Public FTP-DMZ netmask 255.255.255.255

# Add the modified static

static ( dmz,outside) x.x.x.131 10.154.4.6 netmask 255.255.255.255

clear xlate

And then it should ROCK !

2.) The dns statement in the static is there to change dns replys from inside hosts that are trying toi access your DMZ webserver on this public IP. The DNS reply with then answer with its internal private IP.

This just works if your DNS server is on the internet.

example:

static (inside,outside) x.x.x.131 10.154.4.6 dns

3.) Disable NAT from the inside to the dmz network:

static (inside,dmz) Inside-Network Inside-Network netmask 255.255.255.0

sincerely

Patrick

0 Helpful

n.chandiramani
Level 1
Level 1
In response to Patrick Iseli

‎05-08-2005 08:09 AM

Hi Patrick,

Thanks for your help. The issue was finally resolved by changing default gateway settings on the FTP server.

I have another question. This customer has two ways of getting onto the internet. One on the outside interface and one on the dmz interface. He wants to configure certain workstations ( inside network) on the outside internet and the remaining ( inside network) on the dmz internet.

Outside internet works fine with the default gateway on the PC's pointing to the inside interface of the PIX. How do I get the other PC's to get onto the internet on the dmz interface

Thanks in advance

Nanik

0 Helpful
Customers Also Viewed These Support Documents