Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > A simple newbie question (Pix 501)

Reply
Thread Tools

A simple newbie question (Pix 501)

 
 
Markus Heidfels
Guest
Posts: n/a
 
      12-03-2003
Dear group, I hope someone can point this newbie in the right direction. My
network is connected to the internet, with a Pix 501 firewall. I am trying
to open port 21 to allow ftp traffic to a server behind the firewall.

What I have tried so far is:

access-list outin permit tcp any any eq ftp
access-group outin in interface outside
static (inside,outside) tcp interface ftp 192.168.0.33 ftp netmask
255.255.255.255 0 0

I must be missing something, but what?
From the outside port 21 is still closed

Best regards
Markus


 
Reply With Quote
 
 
 
 
Rik Bain
Guest
Posts: n/a
 
      12-03-2003
On Wed, 03 Dec 2003 14:06:22 -0600, Markus Heidfels wrote:

> Dear group, I hope someone can point this newbie in the right direction.
> My network is connected to the internet, with a Pix 501 firewall. I am
> trying to open port 21 to allow ftp traffic to a server behind the
> firewall.
>
> What I have tried so far is:
>
> access-list outin permit tcp any any eq ftp access-group outin in
> interface outside static (inside,outside) tcp interface ftp 192.168.0.33
> ftp netmask 255.255.255.255 0 0
>
> I must be missing something, but what? From the outside port 21 is still
> closed
>
> Best regards
> Markus



"clear xlate" after making the changes?

-or-

Does the connection attempt report refused or is it silently dropped?
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      12-03-2003
In article <(E-Mail Removed) .org>,
Rik Bain <(E-Mail Removed)> wrote:
:On Wed, 03 Dec 2003 14:06:22 -0600, Markus Heidfels wrote:
:> My network is connected to the internet, with a Pix 501 firewall. I am
:> trying to open port 21 to allow ftp traffic to a server behind the
:> firewall.

:> What I have tried so far is:

:> access-list outin permit tcp any any eq ftp access-group outin in
:> interface outside static (inside,outside) tcp interface ftp 192.168.0.33
:> ftp netmask 255.255.255.255 0 0

:"clear xlate" after making the changes?

"clear xlate" is a good recommendation: when you add new statics to the
interface, the PIX will usually not notice them without a "clear xlate".

I would also suggest opening the ftp-data port (tcp 20) unless you
are using passive ftp.
--
Studies show that the average reader ignores 106% of all statistics
they see in .signatures.
 
Reply With Quote
 
Markus Heidfels
Guest
Posts: n/a
 
      12-03-2003

"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> schreef in bericht
news:bqlgg6$7v1$(E-Mail Removed)...
> In article <(E-Mail Removed) .org>,
> Rik Bain <(E-Mail Removed)> wrote:
> :On Wed, 03 Dec 2003 14:06:22 -0600, Markus Heidfels wrote:
> :> My network is connected to the internet, with a Pix 501 firewall. I am
> :> trying to open port 21 to allow ftp traffic to a server behind the
> :> firewall.
>
> :> What I have tried so far is:
>
> :> access-list outin permit tcp any any eq ftp access-group outin in
> :> interface outside static (inside,outside) tcp interface ftp

192.168.0.33
> :> ftp netmask 255.255.255.255 0 0
>
> :"clear xlate" after making the changes?
>


I have done that, makes no difference. Just these three lines should open
port 21 and redirect it to my server or not?

> "clear xlate" is a good recommendation: when you add new statics to the
> interface, the PIX will usually not notice them without a "clear xlate".
>
> I would also suggest opening the ftp-data port (tcp 20) unless you
> are using passive ftp.


I haven't tried that yet. I test my connection from a shell server on the
internet. A telnet session to port 21 times out, just as an ordinary ftp
connection attempt

Regards
Markus


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      12-03-2003
In article <3fce4997$0$206$(E-Mail Removed)4all.nl>,
Markus Heidfels <(E-Mail Removed)> wrote:
: access-list outin permit tcp any any eq ftp
: access-group outin in
: interface outside static (inside,outside) tcp interface ftp 192.168.0.33 ftp netmask 255.255.255.255 0 0

| Just these three lines should open
|port 21 and redirect it to my server or not?

Yes.

|I test my connection from a shell server on the
|internet. A telnet session to port 21 times out, just as an ordinary ftp
|connection attempt

I suggest temporarily pushing the logging level up to debugging,
and checking the logs as you make the attempt. You should see a
static translation being built [I think], and then you should see
a 'Built' message showing the outside source and the inside destination.


Say, I wonder if you are hitting the problem that some people have been
having lately? Try adding this:

nat (inside) 2 192.168.0.33 255.255.255.255 0 0
global (outside) 2 interface


--
Cottleston, Cottleston, Cottleston pie.
A bird can't whistle and neither can I. -- Pooh
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Simple region code question... simple answer?? joseph.greer@gmail.com DVD Video 7 01-26-2007 09:07 PM
Simple Question - Simple Answer? Daniel Frey XML 4 01-12-2005 04:25 PM
Re: Simple Simple question!!! Kevin Spencer ASP .Net 0 06-25-2004 05:25 PM
Re: Simple Simple question!!! ashelley@inlandkwpp.com ASP .Net 0 06-25-2004 04:18 PM
dumb newbie question (or newbie dumb question) Jerry C. Perl Misc 8 11-23-2003 04:11 AM



Advertisments