01-19-2006 02:11 PM - edited 03-09-2019 01:41 PM
Hi,
This is my second post regarding the same topic. I am working with the Cisco engineer on this case but we're still playing phone tag. So, I just want to post my config to everyone for review.
Objective:
A serv-u ftp server behind the pix firewall on subnet 192.168.1.x. The ftp server IP is 192.168.1.141. The serv-u ftp server is set to do passive-mode on the range of ports from 60000 to 60040. I want to config the pix to handle all things pretain to the ftp.
Here's my configuration with a few modifications for security.
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname MYFIREWALL
domain-name MYDOMAIN.COM
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service passive_mode tcp
port-object range 60000 60040
access-list inside_access_in permit ip 192.168.1.0 255.255.255.0 any
access-list FTPonly permit tcp any host 222.222.222.222 eq ftp
access-list FTPonly permit tcp any host 222.222.222.222 eq 8200
access-list FTPonly permit tcp any host 222.222.222.222 eq 8016
access-list FTPonly permit tcp any host 222.222.222.222 eq 10019
access-list FTPonly permit tcp any interface outside object-group passive_mode
access-list vpn_access permit ip 192.168.1.0 255.255.255.0 10.10.15.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 222.x.x.x.x.255.224
ip address inside 192.168.1.100 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_pool 10.10.15.1-10.10.15.50
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpn_access
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp 222.222.222.222 ftp 192.168.1.141 ftp netmask 255.25
5.255.255 0 0
static (inside,outside) tcp 222.222.222.222 8200 192.168.1.139 8200 netmask 255.
255.255.255 0 0
static (inside,outside) tcp 222.222.222.222 8016 192.168.1.139 8016 netmask 255.
255.255.255 0 0
static (inside,outside) tcp 222.222.222.222 10019 192.168.1.139 10019 netmask 25
5.255.255.255 0 0
static (inside,outside) tcp 222.222.222.222 60000 192.168.1.141 60000 netmask 25
5.255.255.255 0 0
static (inside,outside) tcp 222.222.222.222 60001 192.168.1.141 60001 netmask 25
5.255.255.255 0 0
static (inside,outside) tcp 222.222.222.222 60002 192.168.1.141 60002 netmask 25
5.255.255.255 0 0
static (inside,outside) tcp 222.222.222.222 60003 192.168.1.141 60003 netmask 25
5.255.255.255 0 0
static (inside,outside) tcp 222.222.222.222 60004 192.168.1.141 60004 netmask 25
5.255.255.255 0 0
static (inside,outside) tcp 222.222.222.222 60005 192.168.1.141 60005 netmask 25
5.255.255.255 0 0
static (inside,outside) tcp 222.222.222.222 60006 192.168.1.141 60006 netmask 25
5.255.255.255 0 0
static (inside,outside) tcp 222.222.222.222 60007 192.168.1.141 60007 netmask 25
5.255.255.255 0 0
.....up to 60040
access-group FTPonly in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 222.222.222.97 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
myfirewall(config)#
Thanks,
Travis.
01-23-2006 04:50 PM
Travis,
So is there a specific problem you have and want answered or are you trying to just verify that your configuration is correct?
Fist glance I see that you have your statics setup for each of the ports. You have your access-list in place for your ports. So that portion looks correct.
Patrick
01-24-2006 09:12 AM
Hi,
When the pix is in used, the internal users behind the firewall could not ping addresses on the outside. I had to add the following entry
access-list outside_access_in permit ip any any
access-group outside_access_in in interface outside
But, I have another problem. The the pix is used for internet access on the network with 20+ computers, the pix goes down. When I tested with a few computers connecting to the internet, the pix works fine. It seems the flow of traffic between eth0 and eth1 is not smooth.
OR is it that the pix might be defective.
Thanx.
Travis.
01-24-2006 01:32 PM
Travis,
A couple of years ago there was a hardware issue in a group of pixes which would make them freeze up as soon as they started getting any kind of real load. I can't find the url that allowed you to put the serial number in to see if your pix was possibly affected by this.
Before calling it a faulty pix I would upgrade to the latest Pix version either 6.3.5 or 7.0.4 depending on how much flash/memory you have.
For your ping issue's you can permit just icmp in. Also depending on which version your running you can just use the icmp command.
Option A
access-list outside_access_in permit icmp any any
access-group outside_access_in in interface outside
Option B
icmp permit any any outside
Patrick
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide