Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > FTP through PIX DMZ

Reply
Thread Tools

FTP through PIX DMZ

 
 
Peter
Guest
Posts: n/a
 
      08-24-2004
I have recently reconfigured my network to move all my Internet facing
hosts from the core network to a DMZ subnet connected through my PIX
firewall.

Following the move all my services (web servers, Exhcange mail,
Exchange conferencing) are working as normal. However, the FTP server
refuses point blank to work.

The server is hosted on a Windows 2000 Server and was working
perfectly prior to the move. If accessed from inside the firewall, it
works as expected. Clients outside the firewall can connect to the
server, and login. They are unable to retrieve the directory listing
or any files etc.

The ftp server does attempt to initiate the outbound connection, as I
can see the packet arriving on the PIX. It doesn't seem to be
forwarded however.

There is no access list filtering traffic leaving the DMZ.
There is a static mapping from the real to the internal ftp server
address.
NAT does not take place between the inside & DMZ.
The fixup service for FTP is enabled.

Everything looks right as far as I can see, but it just won't work.
Does anyone have any ideas, or know of any gotchas with this kind of
setup?

Thanks in advance for your help,

Peter

As an aside, as I don't really want to go this route, I tried forcing
an FTP client to use passive mode ftp, but this also failed. To use
this would I need to open the ftp data port inbound on the PIX also?

name FTP 1.2.3.4
static (DMZ,outside) FTP 10.1.1.6 netmask 255.255.255.255 0 0
access-list dmz permit ip any any
access-list outside-dmz permit tcp any host FTP eq ftp
access-group dmz in int DMZ
access-group outside-dmz in int outside
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      08-24-2004
In article <(E-Mail Removed)> ,
Peter <(E-Mail Removed)> wrote:
:The server is hosted on a Windows 2000 Server and was working
erfectly prior to the move. If accessed from inside the firewall, it
:works as expected. Clients outside the firewall can connect to the
:server, and login. They are unable to retrieve the directory listing
r any files etc.

I suggest you turn your syslog level up to maximum, make sure you
haven't turned off any of the IDS messages, and see whether the
syslog shows any complaints when you attempt the access. Complaints
such as the port or IP address being incorrect.

If you are running a recent PIX version, 'capture' the return
packets and examine them in detail.

At last resort, you could try 'debug fixup', but if your network
is active, that's going to give you too much data to deal with.
--
I was very young in those days, but I was also rather dim.
-- Christopher Priest
 
Reply With Quote
 
 
 
 
Samjack
Guest
Posts: n/a
 
      08-27-2004
Your config mentions FTP but what about ftp-data? FTP uses both 20 and 21.

"Peter" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) m...
>I have recently reconfigured my network to move all my Internet facing
> hosts from the core network to a DMZ subnet connected through my PIX
> firewall.
>
> Following the move all my services (web servers, Exhcange mail,
> Exchange conferencing) are working as normal. However, the FTP server
> refuses point blank to work.
>
> The server is hosted on a Windows 2000 Server and was working
> perfectly prior to the move. If accessed from inside the firewall, it
> works as expected. Clients outside the firewall can connect to the
> server, and login. They are unable to retrieve the directory listing
> or any files etc.
>
> The ftp server does attempt to initiate the outbound connection, as I
> can see the packet arriving on the PIX. It doesn't seem to be
> forwarded however.
>
> There is no access list filtering traffic leaving the DMZ.
> There is a static mapping from the real to the internal ftp server
> address.
> NAT does not take place between the inside & DMZ.
> The fixup service for FTP is enabled.
>
> Everything looks right as far as I can see, but it just won't work.
> Does anyone have any ideas, or know of any gotchas with this kind of
> setup?
>
> Thanks in advance for your help,
>
> Peter
>
> As an aside, as I don't really want to go this route, I tried forcing
> an FTP client to use passive mode ftp, but this also failed. To use
> this would I need to open the ftp data port inbound on the PIX also?
>
> name FTP 1.2.3.4
> static (DMZ,outside) FTP 10.1.1.6 netmask 255.255.255.255 0 0
> access-list dmz permit ip any any
> access-list outside-dmz permit tcp any host FTP eq ftp
> access-group dmz in int DMZ
> access-group outside-dmz in int outside




 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      08-28-2004
In article <tsPXc.117$(E-Mail Removed)>,
Samjack <(E-Mail Removed)> wrote:
:Your config mentions FTP but what about ftp-data? FTP uses both 20 and 21.

The PIX ftp fixup knows about port 20.
--
So you found your solution
What will be your last contribution?
-- Supertramp (Fool's Overture)
 
Reply With Quote
 
Dominic
Guest
Posts: n/a
 
      09-21-2004
http://www.velocityreviews.com/forums/(E-Mail Removed)-cnrc.gc.ca (Walter Roberson) wrote in message news:<cgorb9$gnc$(E-Mail Removed)>...
> In article <tsPXc.117$(E-Mail Removed)>,
> Samjack <(E-Mail Removed)> wrote:
> :Your config mentions FTP but what about ftp-data? FTP uses both 20 and 21.
>
> The PIX ftp fixup knows about port 20.


Hi guys,

Make sure that the client use FTP Normal mode. Some broadband router
have difficulty to use FTP Passv mode.

Try it... !!
Dominic
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
help with pix inside->outside + dmz->outside + inside->outside->dmz Jack Cisco 0 09-19-2007 01:57 AM
Allow smtp traffic from DMZ to Inside, without DMZ loosing Internet connection? morten Cisco 4 09-04-2007 01:48 PM
Cisco PIX DMZ to DMZ Access Network-Guy Cisco 7 09-25-2005 08:28 PM
how to config 515-e-dmz dmz routes & ACL? JohnC Cisco 9 12-07-2004 09:14 AM
Net::FTP problems getting files from Windows FTP server, but not Linux FTP Server. D. Buck Perl Misc 2 06-29-2004 02:05 PM



Advertisments