05-13-2004 07:52 AM - edited 02-21-2020 01:09 PM
Hi,
I was wondering if anyone can answer these questions for me? I have a 515 with a web and ftp server running on the dmz interface. The internal network is 10.0.x.x and the dmz server is 172.16.0.2
My questions are:
1-Is there anything special I would need to do to enable the inside network to ftp to the dmz? I have setup ftp externally and it works fine with a valid username and password however when I try from the internal network I get errors relating to authentication "an error occured opening that folder you may not have permission.... type set A... invalid port command" I am told this is just using IE to open the ip address of the dmz server for ftp.
2-This one is relating to the above. Is it also possible to set it up so that vpn users can access this ftp site as well using the internal ip address?
3-Is it possible at all for internal and vpn users to use the legal ip address assigned to this ftp site to access it from the internal network.
Thanks for any help anyone can give.
cheers
Andy
05-14-2004 09:55 AM
If it helps I have access via shares to the dmz server from inside by using \\172.16.0.2\sharename so I have routing to the dmz server, I just seem to have problems with ftp.
cheers
Andy
05-17-2004 04:21 AM
Andy
Can you paste your config up - just the relevant stuff....I take it you haven't offset the ftp port for security. It is possible to setup vpn users to access the ftp site - you need to setup an access list allowing access for ftp and ftp-data for the address pool you specifify for the vpn users. Its quite straight forward. I don't quite understand the last question - if you paste the config it might make more sense to me!
cheers
Steve
05-17-2004 08:07 AM
Hi,
Thanks for the reply. The config should be included.
One thing I have noticed is that fixup ftp is off, is this right? The ftp site on the dmz server in reality needs to be accessible via its legal ip address from internet users, internal network users and by people dialing in via vpn on the pix.
All of these users need to access it by, for example, ftp://1.1.1.8 but I seem to even have a problem just using ftp://172.16.0.2 (port command error)
I seem to remember that you cannot have traffic coming in the same int that it left on, which if I am not mistaken is what is happening if my internal users try and access the site 1.1.1.8 from the internal network as it is statically pointed on the pix back into the dmz.
Sorry if I am not explaining myself well.
thanks again
Andy
05-17-2004 11:27 AM
Do you have a global (dmz) 1 statement to match the nat (inside) 1 statement? Or are you using the nat (inside) 0 access-list command to not nat the internal addresses? These seem to be missing from the config part that you posted?
You stated that you can access via sharenames from the inside: do you have acls applied to the inside interface?
Turning off fixup ftp should not cause the problems that you have - in fact you should keep it on as it will allow the pix to validate some of the ftp commands that are issued to perform some protection of your ftp server.
05-17-2004 12:04 PM
Hi,
Sorry if I missed the global it is:
nat (inside) 1 10.0.0.0 255.255.0.0
global (outside) 1 interface
nat (dmz) 2 172.16.0.0 255.255.255.0
global (outside) 2 1.1.1.4
If thats what you mean - they are just there to give the inside and dmz internet access.
There are no acl's on the inside interface only on the outside.
Thanks for the fixup notes - I think I thought it had something to do with active/passive.
cheers
Andy
05-17-2004 05:00 PM
I saw those nat and global; but what I did not see is the global (dmz) or a static (inside, dmz) to allow the inside to get an address on the dmz subnet. I believe that is where you issue may lie.
05-19-2004 02:03 PM
Hi again,
Sorry fo rbeing confused. My config:
hostname firewall
domain domain.lan
nameif e0 outside sec0
nameif e1 inside sec100
nameif e2 dmz sec51
int e0 10baset
int e1 10baset
int e2 100full
ip address outside 1.1.1.7 255.255.255.248
ip address dmz 172.16.0.1 255.255.255.0
ip address inside 10.0.0.1 255.255.0.0
route outside 0 0 1.1.1.5 1
logging on
logging trap 4
logging host 10.0.0.2
nat (inside) 1 10.0.0.0 255.255.0.0
global (outside) 1 interface
nat (dmz) 2 172.16.0.0 255.255.255.0
global (outside) 2 1.1.1.9
no fixup protocol ftp
no fixup protocol smtp
static (inside,outside) 1.1.1.6 10.0.0.2
static (dmz,outside) 1.1.1.8 172.16.0.2
access-list OutsideInbound permit tcp any host 1.1.1.6 eq 25
access-list OutsideInbound permit tcp any host 1.1.1.6 eq ftp
access-list OutsideInbound permit tcp any host 1.1.1.6 eq http
access-list OutsideInbound permit tcp any host 1.1.1.8 eq ftp
access-list OutsideInbound permit tcp any host 1.1.1.8 eq http
access-list OutsideInbound permit tcp any host 1.1.1.8 eq https
access-group OutsideInbound in interface outside
ip local pool SP_VPNIPPool 192.168.40.1-192.168.40.254
access-list SP_VPNACL permit ip 10.0.0.0 255.255.0.0 192.168.40.0 255.255.255.0
nat (inside) 0 access-list SP_VPNACL
sysopt connection permit-ipsec
crypto ipsec transform-set SP_Trans esp-3des esp-md5-hmac
crypto dynamic-map SP_Dyn 10 set transform-set SP_Trans
crypto map SP_Crypto 10 ipsec-isakmp dynamic SP_Dyn
crypto map SP_Crypto interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup VPNGROUP address-pool SP_VPNIPPool
vpngroup VPNGROUP idle-time 1800
vpngroup VPNGROUP password Password
vpngroup VPNGROUP wins-server 10.0.0.2
vpngroup VPNGROUP dns-server 10.0.0.2
vpngroup VPNGROUP default-domain domain.lan
vpngroup VPNGROUP split-tunnel SP_VPNACL
isakmp nat-traversal 20
sorry for putting the config back on again. Im pretty sure with this that I can access shares on the dmz server from the inside. Im just confused why ftp won't work. I appreciate your probably telling me something and im missing it entirely.
thanks for your time!
Andy
05-20-2004 01:09 PM
Sorry didnt read all the reply's but I think you might want to look at DNS Dr.ing, or the Alias command, sounds like this is what you need. Good luck,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide