«

Dear group, I hope someone can point this newbie in the right direction. My
network is connected to the internet, with a Pix 501 firewall. I am trying
to open port 21 to allow ftp traffic to a server behind the firewall.

What I have tried so far is:

access-list outin permit tcp any any eq ftp
access-group outin in interface outside
static (inside,outside) tcp interface ftp 192.168.0.33 ftp netmask
255.255.255.255 0 0

I must be missing something, but what?
From the outside port 21 is still closed

Best regards
Markus

On Wed, 03 Dec 2003 14:06:22 -0600, Markus Heidfels wrote:

> Dear group, I hope someone can point this newbie in the right direction.
> My network is connected to the internet, with a Pix 501 firewall. I am
> trying to open port 21 to allow ftp traffic to a server behind the
> firewall.
>
> What I have tried so far is:
>
> access-list outin permit tcp any any eq ftp access-group outin in
> interface outside static (inside,outside) tcp interface ftp 192.168.0.33
> ftp netmask 255.255.255.255 0 0
>
> I must be missing something, but what? From the outside port 21 is still
> closed
>
> Best regards
> Markus


"clear xlate" after making the changes?

-or-

Does the connection attempt report refused or is it silently dropped?

In article < .org>,
Rik Bain <> wrote:
:On Wed, 03 Dec 2003 14:06:22 -0600, Markus Heidfels wrote:
:> My network is connected to the internet, with a Pix 501 firewall. I am
:> trying to open port 21 to allow ftp traffic to a server behind the
:> firewall.

:> What I have tried so far is:

:> access-list outin permit tcp any any eq ftp access-group outin in
:> interface outside static (inside,outside) tcp interface ftp 192.168.0.33
:> ftp netmask 255.255.255.255 0 0

:"clear xlate" after making the changes?

"clear xlate" is a good recommendation: when you add new statics to the
interface, the PIX will usually not notice them without a "clear xlate".

I would also suggest opening the ftp-data port (tcp 20) unless you
are using passive ftp.
--
Studies show that the average reader ignores 106% of all statistics
they see in .signatures.

"Walter Roberson" <> schreef in bericht
news:bqlgg6$7v1$...
> In article < .org>,
> Rik Bain <> wrote:
> :On Wed, 03 Dec 2003 14:06:22 -0600, Markus Heidfels wrote:
> :> My network is connected to the internet, with a Pix 501 firewall. I am
> :> trying to open port 21 to allow ftp traffic to a server behind the
> :> firewall.
>
> :> What I have tried so far is:
>
> :> access-list outin permit tcp any any eq ftp access-group outin in
> :> interface outside static (inside,outside) tcp interface ftp
192.168.0.33
> :> ftp netmask 255.255.255.255 0 0
>
> :"clear xlate" after making the changes?
>

I have done that, makes no difference. Just these three lines should open
port 21 and redirect it to my server or not?

> "clear xlate" is a good recommendation: when you add new statics to the
> interface, the PIX will usually not notice them without a "clear xlate".
>
> I would also suggest opening the ftp-data port (tcp 20) unless you
> are using passive ftp.

I haven't tried that yet. I test my connection from a shell server on the
internet. A telnet session to port 21 times out, just as an ordinary ftp
connection attempt

Regards
Markus

In article <3fce4997$0$206$>,
Markus Heidfels <> wrote:
: access-list outin permit tcp any any eq ftp
: access-group outin in
: interface outside static (inside,outside) tcp interface ftp 192.168.0.33 ftp netmask 255.255.255.255 0 0

| Just these three lines should open
|port 21 and redirect it to my server or not?

Yes.

|I test my connection from a shell server on the
|internet. A telnet session to port 21 times out, just as an ordinary ftp
|connection attempt

I suggest temporarily pushing the logging level up to debugging,
and checking the logs as you make the attempt. You should see a
static translation being built [I think], and then you should see
a 'Built' message showing the outside source and the inside destination.


Say, I wonder if you are hitting the problem that some people have been
having lately? Try adding this:

nat (inside) 2 192.168.0.33 255.255.255.255 0 0
global (outside) 2 interface


--
Cottleston, Cottleston, Cottleston pie.
A bird can't whistle and neither can I. -- Pooh