Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Configuring Passive FTP on PIX 515e

Reply
Thread Tools

Configuring Passive FTP on PIX 515e

 
 
beso beso is offline
Junior Member
Join Date: Mar 2008
Posts: 1
 
      03-26-2008
Hello Everyone,

This is my first post here and I am looking for some help with a PIX 515e firewall configuration.

What we have is an application that runs on several workstations that connects to an external FTP server on port 990 and comes back in again on a specific port range (23600-23609). I need to allow connections back into the network using the port range 23600-23609 to any workstation on the network.

Now I have also made some changes to the configuration myself which I need to remove as well but since I am not familiar with these devices I need some assistance.

Below I have posted the show run output from our device with the required information. The external IP shows as 142.x.x.x IP in the output I have inserted here.

I have also used Bold and Underline on the lines that I need to remove from the firewall as well.

If anyone can help me find the commands I need to configure:

a) the port forwarding of the range 23600 - 23609 to any workstation on the internal network
b) remove the lines I have unfortunately saved in the attempt to get this working.

pixfirewall# show run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
object-group service CannexFTP tcp
port-object range 23600 23609
access-list exchange permit icmp any any
access-list exchange permit tcp any host 142.x.x.x eq https
access-list exchange permit tcp any host 142.x.x.x eq www
access-list exchange permit tcp any host 142.x.x.x eq ftp
access-list exchange permit tcp any host 142.x.x.x eq domain
access-list exchange permit udp any host 142.x.x.x eq domain
access-list exchange permit tcp any host 142.x.x.x eq 3389
access-list exchange permit tcp any host 142.x.x.x eq pptp
access-list exchange permit tcp host 207.176.143.5 host 142.x.x.x eq smtp
access-list exchange permit tcp host 204.209.44.106 host 142.x.x.x eq smtp
access-list NO-NAT permit ip 10.1.0.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list NO-NAT permit ip 10.1.0.0 255.255.255.0 10.2.0.0 255.255.255.0
access-list NO-NAT permit ip 10.1.0.0 255.255.255.0 10.3.0.0 255.255.255.0
access-list IPSEC-VPN permit ip 10.1.0.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list IPSEC-VPN permit ip 10.1.0.0 255.255.255.0 10.2.0.0 255.255.255.0
access-list l2tp permit udp host 142.x.x.x any eq 1701
access-list outside_access_in permit tcp any host 142.x.x.x eq 23600
access-list outside_access_in permit tcp any any object-group CannexFTP
access-list outside_access_in permit tcp any interface outside object-group CannexFTP
access-list 100 permit tcp any host 142.172.200.36 eq 23600
pager lines 24
logging on
logging timestamp
logging console critical
logging monitor critical
logging trap warnings
logging host inside 10.1.0.100
logging host inside 10.1.0.104
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 10
ip address inside 10.1.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 142.x.x.x https 10.1.0.100 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 142.x.x.x www 10.1.0.100 www netmask 255.255.255.255 0 0
static (inside,outside) tcp 142.x.x.x ftp 10.1.0.100 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 142.x.x.x 3389 10.1.0.100 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 142.x.x.x smtp 10.1.0.100 smtp netmask 255.255.255.255 0 0
static (inside,outside) udp 142.x.x.x 23600 10.1.0.100 23600 netmask 255.255.255.255 0 0
static (inside,outside) tcp 142.x.x.x pptp 10.1.0.100 pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp 142.x.x.x 23600 10.1.0.100 23600 netmask 255.255.255.255 0 0
access-group exchange in interface outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.1.0.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
: end

Thanks in advance for any help anyone may be able to provide me with.

Brad
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Need help in configuring 2xASA 5510 Active/Passive failover mabooali Hardware 1 05-21-2008 03:52 PM
IIS FTP and Cisco PIX: Passive mode fails Arterion Cisco 0 11-09-2007 12:04 AM
FTP passive problem with PIX 515E Diego Fernández Cisco 5 03-09-2006 08:35 AM
ftp passive command brian Cisco 0 11-22-2003 01:30 AM
Disable passive ftp in Mozilla 1.4 Michel Hoogervorst Firefox 0 07-29-2003 06:29 AM



Advertisments