Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
629
Views
0
Helpful
8
Replies

VPN questions on PIX

agoodwin
Level 1
Level 1

‎05-13-2004 07:52 AM - edited ‎02-21-2020 01:09 PM

Hi,

I was wondering if anyone can answer these questions for me? I have a 515 with a web and ftp server running on the dmz interface. The internal network is 10.0.x.x and the dmz server is 172.16.0.2

My questions are:

1-Is there anything special I would need to do to enable the inside network to ftp to the dmz? I have setup ftp externally and it works fine with a valid username and password however when I try from the internal network I get errors relating to authentication "an error occured opening that folder you may not have permission.... type set A... invalid port command" I am told this is just using IE to open the ip address of the dmz server for ftp.

2-This one is relating to the above. Is it also possible to set it up so that vpn users can access this ftp site as well using the internal ip address?

3-Is it possible at all for internal and vpn users to use the legal ip address assigned to this ftp site to access it from the internal network.

Thanks for any help anyone can give.

cheers

Andy

Labels:
0 Helpful
8 Replies 8

agoodwin
Level 1
Level 1

‎05-14-2004 09:55 AM

If it helps I have access via shares to the dmz server from inside by using \\172.16.0.2\sharename so I have routing to the dmz server, I just seem to have problems with ftp.

cheers

Andy

0 Helpful

stevensavage
Level 1
Level 1

‎05-17-2004 04:21 AM

Andy

Can you paste your config up - just the relevant stuff....I take it you haven't offset the ftp port for security. It is possible to setup vpn users to access the ftp site - you need to setup an access list allowing access for ftp and ftp-data for the address pool you specifify for the vpn users. Its quite straight forward. I don't quite understand the last question - if you paste the config it might make more sense to me!

cheers

Steve

0 Helpful

agoodwin
Level 1
Level 1
In response to stevensavage

‎05-17-2004 08:07 AM

Hi,

Thanks for the reply. The config should be included.

One thing I have noticed is that fixup ftp is off, is this right? The ftp site on the dmz server in reality needs to be accessible via its legal ip address from internet users, internal network users and by people dialing in via vpn on the pix.

All of these users need to access it by, for example, ftp://1.1.1.8 but I seem to even have a problem just using ftp://172.16.0.2 (port command error)

I seem to remember that you cannot have traffic coming in the same int that it left on, which if I am not mistaken is what is happening if my internal users try and access the site 1.1.1.8 from the internal network as it is statically pointed on the pix back into the dmz.

Sorry if I am not explaining myself well.

thanks again

Andy

Preview file
1 KB
0 Helpful

ehirsel
Level 6
Level 6
In response to agoodwin

‎05-17-2004 11:27 AM

Do you have a global (dmz) 1 statement to match the nat (inside) 1 statement? Or are you using the nat (inside) 0 access-list command to not nat the internal addresses? These seem to be missing from the config part that you posted?

You stated that you can access via sharenames from the inside: do you have acls applied to the inside interface?

Turning off fixup ftp should not cause the problems that you have - in fact you should keep it on as it will allow the pix to validate some of the ftp commands that are issued to perform some protection of your ftp server.

0 Helpful

agoodwin
Level 1
Level 1
In response to ehirsel

‎05-17-2004 12:04 PM

Hi,

Sorry if I missed the global it is:

nat (inside) 1 10.0.0.0 255.255.0.0

global (outside) 1 interface

nat (dmz) 2 172.16.0.0 255.255.255.0

global (outside) 2 1.1.1.4

If thats what you mean - they are just there to give the inside and dmz internet access.

There are no acl's on the inside interface only on the outside.

Thanks for the fixup notes - I think I thought it had something to do with active/passive.

cheers

Andy

0 Helpful

ehirsel
Level 6
Level 6
In response to agoodwin

‎05-17-2004 05:00 PM

I saw those nat and global; but what I did not see is the global (dmz) or a static (inside, dmz) to allow the inside to get an address on the dmz subnet. I believe that is where you issue may lie.

0 Helpful

agoodwin
Level 1
Level 1
In response to ehirsel

‎05-19-2004 02:03 PM

Hi again,

Sorry fo rbeing confused. My config:

hostname firewall

domain domain.lan

nameif e0 outside sec0

nameif e1 inside sec100

nameif e2 dmz sec51

int e0 10baset

int e1 10baset

int e2 100full

ip address outside 1.1.1.7 255.255.255.248

ip address dmz 172.16.0.1 255.255.255.0

ip address inside 10.0.0.1 255.255.0.0

route outside 0 0 1.1.1.5 1

logging on

logging trap 4

logging host 10.0.0.2

nat (inside) 1 10.0.0.0 255.255.0.0

global (outside) 1 interface

nat (dmz) 2 172.16.0.0 255.255.255.0

global (outside) 2 1.1.1.9

no fixup protocol ftp

no fixup protocol smtp

static (inside,outside) 1.1.1.6 10.0.0.2

static (dmz,outside) 1.1.1.8 172.16.0.2

access-list OutsideInbound permit tcp any host 1.1.1.6 eq 25

access-list OutsideInbound permit tcp any host 1.1.1.6 eq ftp

access-list OutsideInbound permit tcp any host 1.1.1.6 eq http

access-list OutsideInbound permit tcp any host 1.1.1.8 eq ftp

access-list OutsideInbound permit tcp any host 1.1.1.8 eq http

access-list OutsideInbound permit tcp any host 1.1.1.8 eq https

access-group OutsideInbound in interface outside

ip local pool SP_VPNIPPool 192.168.40.1-192.168.40.254

access-list SP_VPNACL permit ip 10.0.0.0 255.255.0.0 192.168.40.0 255.255.255.0

nat (inside) 0 access-list SP_VPNACL

sysopt connection permit-ipsec

crypto ipsec transform-set SP_Trans esp-3des esp-md5-hmac

crypto dynamic-map SP_Dyn 10 set transform-set SP_Trans

crypto map SP_Crypto 10 ipsec-isakmp dynamic SP_Dyn

crypto map SP_Crypto interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup VPNGROUP address-pool SP_VPNIPPool

vpngroup VPNGROUP idle-time 1800

vpngroup VPNGROUP password Password

vpngroup VPNGROUP wins-server 10.0.0.2

vpngroup VPNGROUP dns-server 10.0.0.2

vpngroup VPNGROUP default-domain domain.lan

vpngroup VPNGROUP split-tunnel SP_VPNACL

isakmp nat-traversal 20

sorry for putting the config back on again. Im pretty sure with this that I can access shares on the dmz server from the inside. Im just confused why ftp won't work. I appreciate your probably telling me something and im missing it entirely.

thanks for your time!

Andy

0 Helpful

omar598
Level 1
Level 1
In response to agoodwin

‎05-20-2004 01:09 PM

Sorry didnt read all the reply's but I think you might want to look at DNS Dr.ing, or the Alias command, sounds like this is what you need. Good luck,

0 Helpful
Customers Also Viewed These Support Documents