«

Hi all --

I know this one has been gone over a lot, however I'm stuck. Reading
through and trying the various messages on this topic has not helped.

I have an internal (192.168.1.x) server that is hosting FTP. Works fine
internally.

I want to PAT with the CISCO Pix 506E so that users can FTP into the
server and upload files, download, etc.

So far nothing has worked, neither the PDM nor the command line. I've
enclosed the configuration below. This has taken far longer than I
expected, I would greatly appreciate any help.

[I can SSH to an outside box, no problem. But I can't FTP from that box
back into the server "Canal" ]

pixfirewall# show config
: Saved
: Written by ******** at 17:40:56.188 GMT/BDT Wed May 24 2006
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password _________________ encrypted
passwd ________________________ encrypted
hostname pixfirewall
domain-name me.com
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.xx Canal
object-group service SSH_group tcp
port-object eq ssh
object-group service FTP_group tcp
description FTP
port-object eq ftp
object-group service webservices tcp
port-object eq ftp
access-list outside_access_in remark SSH
access-list outside_access_in permit tcp any object-group SSH_group any
object-group SSH_group
access-list outside_access_in remark FTP Service
access-list outside_access_in permit tcp any object-group FTP_group any
object-group FTP_group
access-list outside_access_in remark FTP
access-list outside permit tcp any host Canal eq ftp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 75.7.239.233 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Canal 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) Canal 75.7.239.233 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 75.7.239.238 1
route outside 75.7.239.233 255.255.255.255 75.7.239.238 1
route outside 75.7.239.233 255.255.255.255 Canal 2
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd dns 206.13.29.12 206.13.30.12
dhcpd lease 1048575
dhcpd ping_timeout 750
dhcpd enable inside
<admin stuff omitted>

In article <. com>,
fwallace99 <> wrote:
>I have an internal (192.168.1.x) server that is hosting FTP. Works fine
>internally.

>I want to PAT with the CISCO Pix 506E so that users can FTP into the
>server and upload files, download, etc.

>PIX Version 6.3(5)
>name 192.168.1.xx Canal
>object-group service FTP_group tcp
> description FTP
> port-object eq ftp

>access-list outside_access_in permit tcp any object-group FTP_group any object-group FTP_group

That is only going to match if the source port is 21 and the destination
port is 21. Take out the first object-group FTP_group

>access-list outside_access_in remark FTP
>access-list outside permit tcp any host Canal eq ftp

Notice that that second line has a different access list name.
It is therefore not part of the outside_access_in as might be implied
by the remark directly above.

Changing the ACL name will help, as the reference is to the *internal*
host IP, but ACLs applied to the outside interface must refer to
the *public* host IP.

Besides, once the FTP_group line is fixed this other line will
be redundant. Just remove it -- there are some other reasons not
to try to salvage it.

>ip address outside 75.7.239.233 255.255.255.0
>ip address inside 192.168.1.1 255.255.255.0

>global (outside) 1 interface
>nat (inside) 1 0.0.0.0 0.0.0.0 0 0
>static (inside,outside) Canal 75.7.239.233 netmask 255.255.255.255 0 0

That's a NAT configuration, not a PAT configuration. And in PIX 6.x,
you cannot NAT the outside IP address by IP number.

static (inside,outside) tcp interface ftp Canal ftp netmask 255.255.255.255 0 0

>access-group outside_access_in in interface outside
>route outside 0.0.0.0 0.0.0.0 75.7.239.238 1
>route outside 75.7.239.233 255.255.255.255 75.7.239.238 1
>route outside 75.7.239.233 255.255.255.255 Canal 2

Those last two route statements are wrong and should be removed.

>dhcpd address 192.168.1.2-192.168.1.254 inside

Your DHCP pool overlaps with your definition of host Canal, which
is going to cause problems for you.

Walter --

OK, I've made the following changes (and I'm obviously missing
something here:
[Reminder, I want to have the firewall route/allow to my internal FTP
server (which gets it's DHCP from the firewall, max lease time; and
also now add an internal web server also routeable from the Outside).

Maybe someone has an example setup working for their internal FTP or
Web Servers routable and accessible to the outside?

Mucho thanks to anyone who can help; I sort of work on this in spurts
as I can break away from other things.

pixfirewall(config)# write terminal
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password XXXXXXXXXXXX encrypted
passwd YYYYYYYYYYYYYYYYYYY encrypted
hostname pixfirewall
domain-name vitalmedianet.com
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.21 Canal
object-group service SSH_group tcp
port-object eq ssh
access-list outside_access_in remark SSH
access-list outside_access_in permit tcp any object-group SSH_group any
object-group SSH_group

#I had access-list stuff added for FTP, as above for SSH, didn't work

pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 75.7.239.233 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Canal 255.255.255.255 outside
pdm location 75.7.239.233 255.255.255.255 inside
pdm location Canal 255.255.255.255 inside
pdm location 192.168.1.11 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

# Why won't this route work?
static (inside,outside) tcp 75.7.239.233 ftp Canal ftp netmask
255.255.255.255 0 0
static (inside,outside) tcp 75.7.239.233 www 192.168.1.11 www netmask
255.255.255.255 0 0
#obviously missing something


access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 75.7.239.238 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd dns 206.13.29.12 206.13.30.12
dhcpd lease 1048575
dhcpd ping_timeout 750
dhcpd enable inside

...
[OK]
pixfirewall(config)#





Walter Roberson wrote:
> In article <. com>,
> fwallace99 <> wrote:
> >I have an internal (192.168.1.x) server that is hosting FTP. Works fine
> >internally.
>
> >I want to PAT with the CISCO Pix 506E so that users can FTP into the
> >server and upload files, download, etc.
>
> >PIX Version 6.3(5)
> >name 192.168.1.xx Canal
> >object-group service FTP_group tcp
> > description FTP
> > port-object eq ftp
>
> >access-list outside_access_in permit tcp any object-group FTP_group any object-group FTP_group
>
> That is only going to match if the source port is 21 and the destination
> port is 21. Take out the first object-group FTP_group
>
> >access-list outside_access_in remark FTP
> >access-list outside permit tcp any host Canal eq ftp
>
> Notice that that second line has a different access list name.
> It is therefore not part of the outside_access_in as might be implied
> by the remark directly above.
>
> Changing the ACL name will help, as the reference is to the *internal*
> host IP, but ACLs applied to the outside interface must refer to
> the *public* host IP.
>
> Besides, once the FTP_group line is fixed this other line will
> be redundant. Just remove it -- there are some other reasons not
> to try to salvage it.
>
> >ip address outside 75.7.239.233 255.255.255.0
> >ip address inside 192.168.1.1 255.255.255.0
>
> >global (outside) 1 interface
> >nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> >static (inside,outside) Canal 75.7.239.233 netmask 255.255.255.255 0 0
>
> That's a NAT configuration, not a PAT configuration. And in PIX 6.x,
> you cannot NAT the outside IP address by IP number.
>
> static (inside,outside) tcp interface ftp Canal ftp netmask 255.255.255.255 0 0
>
> >access-group outside_access_in in interface outside
> >route outside 0.0.0.0 0.0.0.0 75.7.239.238 1
> >route outside 75.7.239.233 255.255.255.255 75.7.239.238 1
> >route outside 75.7.239.233 255.255.255.255 Canal 2
>
> Those last two route statements are wrong and should be removed.
>
> >dhcpd address 192.168.1.2-192.168.1.254 inside
>
> Your DHCP pool overlaps with your definition of host Canal, which
> is going to cause problems for you.

In article < .com>,
fwallace99 <> wrote:
> [Reminder, I want to have the firewall route/allow to my internal FTP
>server (which gets it's DHCP from the firewall, max lease time; and
>also now add an internal web server also routeable from the Outside).

You cannot do that with a PIX 506E unless the DHCP pool is exactly
one address wide and that host is the *only* host getting its
address from the DHCP pool -- not unless the addresses in the
DHCP pool are public IP addresses and you permit telnet to *all*
of them.

There is no mechanism in PIX 6.x DHCP to reserve a particular IP for
a particular MAC address (host), so the internal FTP server might
be given any address in the pool. There is no mechanism in PIX 6.x
to associate a static external address (or port on the interface IP)
with a particular internal MAC, so if you want to be able to ftp to
the server from outside, every IP in the DHCP pool must static'd
(or nat 0 access-list) or every IP in the DHCP pool must be port
forwarded via a different external port.

If you want a host to be a server accessible from outside the PIX,
you should ensure that it has a fixed IP address. PIX 6.x DHCP cannot
provide that for you (except in the trivial single-address-pool case.)

Walter that part I got.

Since I'm going to be managing the system anyway, I set the lease time
to max amount (I think it's something like 200 days or so), and if need
be I'll just change the routing in the Pix to route to the new IP
anyway when the lease rolls over around 6 mos or so.

It's a small office, fairly "flat" in heirarchy; so I need DHCP
internally, if need be I can set manual IPs outside a specified range
etc.

I'm OK with kludging either way. What I'm having difficulty with is my
static route and access list are not allowing FTP or WWW access (I can
SSH to my outside box and use Lynx or FTP to connect to other sites but
not my external IP):

[ANY suggestions here greatly appreciated]

pixfirewall# write terminal
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password NNNNNNNNNNNNNN encrypted
passwd NNNNNNNNNNNNNNNNNNN encrypted
hostname pixfirewall
domain-name vitalmedianet.com
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.21 Canal
object-group service SSH_group tcp
port-object eq ssh

;Yeah I know, "any any" is bad practice, however even wide open
;here is not working. What gives?
access-list Inbound permit tcp any any eq www
access-list Inbound permit tcp any any eq ftp

pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 75.7.239.233 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Canal 255.255.255.255 outside
pdm location 75.7.239.233 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

; shouldn't these work?
static (inside,outside) tcp interface www 192.168.1.11 www netmask
255.255.255.255 0 0
static (inside,outside) tcp interface ftp Canal ftp netmask
255.255.255.255 0 0


route outside 0.0.0.0 0.0.0.0 75.7.239.238 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd dns 206.13.29.12 206.13.30.12
dhcpd lease 1048575
dhcpd ping_timeout 750
dhcpd enable inside
username admin password NNNNNNNNNNNNNNN encrypted privilege 15
username floyd password NNNNNNNNNNNNNNNNNNNNNNN encrypted privilege 15
terminal width 80
Cryptochecksum:NNNNNNNNNNNNNNNNNNNNNNNNNN
: end
[OK]
pixfirewall#




Walter Roberson wrote:
> In article < .com>,
> fwallace99 <> wrote:
> > [Reminder, I want to have the firewall route/allow to my internal FTP
> >server (which gets it's DHCP from the firewall, max lease time; and
> >also now add an internal web server also routeable from the Outside).
>
> You cannot do that with a PIX 506E unless the DHCP pool is exactly
> one address wide and that host is the *only* host getting its
> address from the DHCP pool -- not unless the addresses in the
> DHCP pool are public IP addresses and you permit telnet to *all*
> of them.
>
> There is no mechanism in PIX 6.x DHCP to reserve a particular IP for
> a particular MAC address (host), so the internal FTP server might
> be given any address in the pool. There is no mechanism in PIX 6.x
> to associate a static external address (or port on the interface IP)
> with a particular internal MAC, so if you want to be able to ftp to
> the server from outside, every IP in the DHCP pool must static'd
> (or nat 0 access-list) or every IP in the DHCP pool must be port
> forwarded via a different external port.
>
> If you want a host to be a server accessible from outside the PIX,
> you should ensure that it has a fixed IP address. PIX 6.x DHCP cannot
> provide that for you (except in the trivial single-address-pool case.)

In article < .com>,
fwallace99 <> wrote:

>PIX Version 6.3(5)

>;Yeah I know, "any any" is bad practice, however even wide open
>;here is not working. What gives?
>access-list Inbound permit tcp any any eq www
>access-list Inbound permit tcp any any eq ftp

You are missing,

access-group Inbound in interface outside

Walter ---

Thanks yeah I need the access-group too ... but it's still not working:

access-list Inbound permit tcp any any eq www
access-list Inbound permit tcp any any eq ftp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 75.7.239.233 255.255.255.0
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location Canal 255.255.255.255 outside
pdm location 75.7.239.233 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.1.11 www netmask
255.255.255.255 0 0
static (inside,outside) tcp interface ftp Canal ftp netmask
255.255.255.255 0 0

: Added, still no go.
access-group Inbound in interface outside
route outside 0.0.0.0 0.0.0.0 75.7.239.238 1



Show Logging:
106015: Deny TCP (no connection) from 192.168.1.12/49773 to
207.115.63.79/110 flags ACK on interface inside
#my internal network box

305012: Teardown dynamic TCP translation from inside:192.168.1.19/1981
to outside:75.7.239.233/4341 duration 0:00:31
710005: UDP request discarded from 192.168.1.19/631 to
inside:192.168.1.255/631
302014: Teardown TCP connection 384740 for outside:63.199.111.91/22 to
inside:192.168.1.12/49769 duration 0:05:27 bytes 17872 TCP Reset-O
#above I'm trying to FTP from my external server into the internal
server here in the office.

106015: Deny TCP (no connection) from 63.199.111.91/22 to
75.7.239.233/4288 flags RST on interface outside
#OK obviously Pix is denying the FTP traffic on Port 22.

305012: Teardown dynamic TCP translation from inside:192.168.1.16/50468
to outside:75.7.239.233/4342 duration 0:00:31
106023: Deny icmp src outside:75.7.239.238 dst inside:75.7.239.233
(type 3, code 0) by access-group "Inbound"
# Hmmm ... what's this? Obviously it's traffic from our gateway/router
trying to get to "Inbound" but being denied.

302014: Teardown TCP connection 384819 for outside:64.202.189.148/80 to
inside:192.168.1.16/50470 duration 0:00:27 bytes 21511 TCP FINs
305012: Teardown dynamic UDP translation from inside:192.168.1.12/49374
to outside:75.7.239.233/1501 duration 0:00:31
305012: Teardown dynamic TCP translation from inside:192.168.1.12/49772
to outside:75.7.239.233/4343 duration 0:00:31
#traffic from my box here on the LAN in the office.

305012: Teardown dynamic TCP translation from inside:192.168.1.16/50469
to outside:75.7.239.233/4344 duration 0:00:31


Pretty weird. Dunno why Cisco Pix is first tearing down the port 22
connection from my .91 box and then denying it. Maybe I'm just
channeling Homer Simpson here.


Walter Roberson wrote:
> In article < .com>,
> fwallace99 <> wrote:
>
> >PIX Version 6.3(5)
>
> >;Yeah I know, "any any" is bad practice, however even wide open
> >;here is not working. What gives?
> >access-list Inbound permit tcp any any eq www
> >access-list Inbound permit tcp any any eq ftp
>
> You are missing,
>
> access-group Inbound in interface outside