A simple newbie question (Pix 501)

Discussion in 'Cisco' started by Markus Heidfels, Dec 3, 2003.

  1. Dear group, I hope someone can point this newbie in the right direction. My
    network is connected to the internet, with a Pix 501 firewall. I am trying
    to open port 21 to allow ftp traffic to a server behind the firewall.

    What I have tried so far is:

    access-list outin permit tcp any any eq ftp
    access-group outin in interface outside
    static (inside,outside) tcp interface ftp 192.168.0.33 ftp netmask
    255.255.255.255 0 0

    I must be missing something, but what?
    From the outside port 21 is still closed

    Best regards
    Markus
    Markus Heidfels, Dec 3, 2003
    #1
    1. Advertising

  2. Markus Heidfels

    Rik Bain Guest

    On Wed, 03 Dec 2003 14:06:22 -0600, Markus Heidfels wrote:

    > Dear group, I hope someone can point this newbie in the right direction.
    > My network is connected to the internet, with a Pix 501 firewall. I am
    > trying to open port 21 to allow ftp traffic to a server behind the
    > firewall.
    >
    > What I have tried so far is:
    >
    > access-list outin permit tcp any any eq ftp access-group outin in
    > interface outside static (inside,outside) tcp interface ftp 192.168.0.33
    > ftp netmask 255.255.255.255 0 0
    >
    > I must be missing something, but what? From the outside port 21 is still
    > closed
    >
    > Best regards
    > Markus



    "clear xlate" after making the changes?

    -or-

    Does the connection attempt report refused or is it silently dropped?
    Rik Bain, Dec 3, 2003
    #2
    1. Advertising

  3. In article <>,
    Rik Bain <> wrote:
    :On Wed, 03 Dec 2003 14:06:22 -0600, Markus Heidfels wrote:
    :> My network is connected to the internet, with a Pix 501 firewall. I am
    :> trying to open port 21 to allow ftp traffic to a server behind the
    :> firewall.

    :> What I have tried so far is:

    :> access-list outin permit tcp any any eq ftp access-group outin in
    :> interface outside static (inside,outside) tcp interface ftp 192.168.0.33
    :> ftp netmask 255.255.255.255 0 0

    :"clear xlate" after making the changes?

    "clear xlate" is a good recommendation: when you add new statics to the
    interface, the PIX will usually not notice them without a "clear xlate".

    I would also suggest opening the ftp-data port (tcp 20) unless you
    are using passive ftp.
    --
    Studies show that the average reader ignores 106% of all statistics
    they see in .signatures.
    Walter Roberson, Dec 3, 2003
    #3
  4. "Walter Roberson" <-cnrc.gc.ca> schreef in bericht
    news:bqlgg6$7v1$...
    > In article <>,
    > Rik Bain <> wrote:
    > :On Wed, 03 Dec 2003 14:06:22 -0600, Markus Heidfels wrote:
    > :> My network is connected to the internet, with a Pix 501 firewall. I am
    > :> trying to open port 21 to allow ftp traffic to a server behind the
    > :> firewall.
    >
    > :> What I have tried so far is:
    >
    > :> access-list outin permit tcp any any eq ftp access-group outin in
    > :> interface outside static (inside,outside) tcp interface ftp

    192.168.0.33
    > :> ftp netmask 255.255.255.255 0 0
    >
    > :"clear xlate" after making the changes?
    >


    I have done that, makes no difference. Just these three lines should open
    port 21 and redirect it to my server or not?

    > "clear xlate" is a good recommendation: when you add new statics to the
    > interface, the PIX will usually not notice them without a "clear xlate".
    >
    > I would also suggest opening the ftp-data port (tcp 20) unless you
    > are using passive ftp.


    I haven't tried that yet. I test my connection from a shell server on the
    internet. A telnet session to port 21 times out, just as an ordinary ftp
    connection attempt

    Regards
    Markus
    Markus Heidfels, Dec 3, 2003
    #4
  5. In article <3fce4997$0$206$4all.nl>,
    Markus Heidfels <> wrote:
    : access-list outin permit tcp any any eq ftp
    : access-group outin in
    : interface outside static (inside,outside) tcp interface ftp 192.168.0.33 ftp netmask 255.255.255.255 0 0

    | Just these three lines should open
    |port 21 and redirect it to my server or not?

    Yes.

    |I test my connection from a shell server on the
    |internet. A telnet session to port 21 times out, just as an ordinary ftp
    |connection attempt

    I suggest temporarily pushing the logging level up to debugging,
    and checking the logs as you make the attempt. You should see a
    static translation being built [I think], and then you should see
    a 'Built' message showing the outside source and the inside destination.


    Say, I wonder if you are hitting the problem that some people have been
    having lately? Try adding this:

    nat (inside) 2 192.168.0.33 255.255.255.255 0 0
    global (outside) 2 interface


    --
    Cottleston, Cottleston, Cottleston pie.
    A bird can't whistle and neither can I. -- Pooh
    Walter Roberson, Dec 3, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Greg Gibson

    PIX 501 newbie aaa servers for pix

    Greg Gibson, May 6, 2004, in forum: Cisco
    Replies:
    3
    Views:
    554
    Adrian Grigorof
    May 9, 2004
  2. Chris Nichols

    Newbie Pix 501 Config Question

    Chris Nichols, Jul 12, 2004, in forum: Cisco
    Replies:
    2
    Views:
    2,533
    Chris Nichols
    Jul 13, 2004
  3. Andre
    Replies:
    7
    Views:
    710
    Andre
    Feb 20, 2005
  4. Pythagorean

    Newbie PIX 501 question

    Pythagorean, Apr 22, 2005, in forum: Cisco
    Replies:
    2
    Views:
    1,343
    Brian
    Apr 22, 2005
  5. choc101
    Replies:
    5
    Views:
    5,638
    swapnendu
    Sep 25, 2006
Loading...

Share This Page