Skip to main content

FTP Setup for Outside to Inside

More
18 years 1 month ago #17227 by tonyr
Cannot seem to get this corrected. I'm trying to setup ftp access from the outside world (74.247.x.x) to my ftp server inside (10.0.0.10). Below is my config, any help is appreciated.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
hostname pix
domain-name pharmapacllc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp interface outside eq ftp any eq ftp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.32 255.255.255.224 outside
pdm location 10.0.0.10 255.255.255.255 inside
pdm location 74.247.x.x 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (outside,inside) 10.0.0.10 74.247.x.x netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username tony password *********
dhcpd lease 1048575
dhcpd ping_timeout 750
dhcprelay server 10.0.0.10 inside
terminal width 80
Cryptochecksum:eba6180b840a91dbe8b0ed1611a9efb8
: end
[OK]
More
18 years 1 month ago #17228 by Smurf
Hi there,

Here are a few things to look at which may be causing your problems;

access-list outside_access_in permit tcp interface outside eq ftp any eq ftp


looks like they are the wrong way around, also you dont want to restrict the source port as this can come from anywhere. Give this a go;

access-list outside_access_in permit tcp any interface outside eq ftp

Also, you will need to open up the ftp-data port. FTP uses the two ports to work correctly, port 20 (DATA) and port 21 (CONTROL). So add the following line

access-list outside_access_in permit tcp any interface outside eq ftp-data

Also, i would swap around the static command to read this

static (inside, outside) 74.247.x.x 10.0.0.10 netmask 255.255.255.0 0 0

Please give it a go and let me know how you get on. I am interested myself to see if the static command does work when directly mapping the external interface to the 10.0.0.10 address. I am unsure if it will work because you are affectivley setting up a NAT translation on the only external IP Address that you have. You may need to go down the route of setting up the STATIC command specifying the ports that you want to translate. If the above doesn't work try removing the static command above and replacing it with these two

static (inside, outside) tcp 74.247.x.x 20 10.0.0.10 20 netmask 255.255.255.0 0 0
static (inside, outside) tcp 74.247.x.x 21 10.0.0.10 21 netmask 255.255.255.0 0 0

Please let me know if the first static works as it will save me testing it out. The reason is that i have quite a few external IP Addresses available to my pix so we setup static commands to the different servers in the DMZ and then a PAT (Global) for anything else.

Cheers

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
18 years 1 month ago #17231 by tonyr
Getting the following error: ERROR: invalid netmask 255.255.255.0 with global address 74.247.168.12

When trying suggested static (inside outside) commands
More
18 years 1 month ago #17232 by Smurf
Hmmm, never actually configured it with a dynamic address on the external interface.

What happens if you try the netmask as 255.255.255.255 ?

Cheers

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
18 years 1 month ago #17236 by tonyr
Still Nothing.
I'm posting my updated config below:

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxx encrypted
hostname pixfirewall
domain-name pharmapacllc.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any interface outside eq ftp
access-list outside_access_in permit tcp any interface outside eq ftp-data
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.0.10 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 74.247.x.x ftp-data 10.0.0.10 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp 74.247.x.x ftp 10.0.0.10 ftp netmask 255.255.255.255 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.0.2-10.0.0.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:1a15b1950e51ae597810cf400c822727
: end
[OK]
More
18 years 1 month ago #17247 by Smurf
I would edit the post and star out the encyrpted passwords (there are tools around to decrypt them).

That should work as far as i can see. The only question now is, whats happened to the access-group ? Is this no longer there ? It will need to be applied to the external interface.

access-group outside_access_in in interface outside


Also, if you do a show access-list, does it list any hits against the lines ? I am guessing you can ping the ftp server from the pix ?

Cheers

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.134 seconds