Configuring Passive FTP on PIX 515e

Discussion in 'Cisco' started by beso, Mar 26, 2008.

  1. beso

    beso

    Joined:
    Mar 26, 2008
    Messages:
    1
    Hello Everyone,

    This is my first post here and I am looking for some help with a PIX 515e firewall configuration.

    What we have is an application that runs on several workstations that connects to an external FTP server on port 990 and comes back in again on a specific port range (23600-23609). I need to allow connections back into the network using the port range 23600-23609 to any workstation on the network.

    Now I have also made some changes to the configuration myself which I need to remove as well but since I am not familiar with these devices I need some assistance.

    Below I have posted the show run output from our device with the required information. The external IP shows as 142.x.x.x IP in the output I have inserted here.

    I have also used Bold and Underline on the lines that I need to remove from the firewall as well.

    If anyone can help me find the commands I need to configure:

    a) the port forwarding of the range 23600 - 23609 to any workstation on the internal network
    b) remove the lines I have unfortunately saved in the attempt to get this working.

    pixfirewall# show run
    : Saved
    :
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname pixfirewall
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    object-group service CannexFTP tcp
    port-object range 23600 23609
    access-list exchange permit icmp any any
    access-list exchange permit tcp any host 142.x.x.x eq https
    access-list exchange permit tcp any host 142.x.x.x eq www
    access-list exchange permit tcp any host 142.x.x.x eq ftp
    access-list exchange permit tcp any host 142.x.x.x eq domain
    access-list exchange permit udp any host 142.x.x.x eq domain
    access-list exchange permit tcp any host 142.x.x.x eq 3389
    access-list exchange permit tcp any host 142.x.x.x eq pptp
    access-list exchange permit tcp host 207.176.143.5 host 142.x.x.x eq smtp
    access-list exchange permit tcp host 204.209.44.106 host 142.x.x.x eq smtp
    access-list NO-NAT permit ip 10.1.0.0 255.255.255.0 192.168.60.0 255.255.255.0
    access-list NO-NAT permit ip 10.1.0.0 255.255.255.0 10.2.0.0 255.255.255.0
    access-list NO-NAT permit ip 10.1.0.0 255.255.255.0 10.3.0.0 255.255.255.0
    access-list IPSEC-VPN permit ip 10.1.0.0 255.255.255.0 192.168.60.0 255.255.255.0
    access-list IPSEC-VPN permit ip 10.1.0.0 255.255.255.0 10.2.0.0 255.255.255.0
    access-list l2tp permit udp host 142.x.x.x any eq 1701
    access-list outside_access_in permit tcp any host 142.x.x.x eq 23600
    access-list outside_access_in permit tcp any any object-group CannexFTP
    access-list outside_access_in permit tcp any interface outside object-group CannexFTP
    access-list 100 permit tcp any host 142.172.200.36 eq 23600
    pager lines 24
    logging on
    logging timestamp
    logging console critical
    logging monitor critical
    logging trap warnings
    logging host inside 10.1.0.100
    logging host inside 10.1.0.104
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute retry 10
    ip address inside 10.1.0.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NO-NAT
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp 142.x.x.x https 10.1.0.100 https netmask 255.255.255.255 0 0
    static (inside,outside) tcp 142.x.x.x www 10.1.0.100 www netmask 255.255.255.255 0 0
    static (inside,outside) tcp 142.x.x.x ftp 10.1.0.100 ftp netmask 255.255.255.255 0 0
    static (inside,outside) tcp 142.x.x.x 3389 10.1.0.100 3389 netmask 255.255.255.255 0 0
    static (inside,outside) tcp 142.x.x.x smtp 10.1.0.100 smtp netmask 255.255.255.255 0 0
    static (inside,outside) udp 142.x.x.x 23600 10.1.0.100 23600 netmask 255.255.255.255 0 0
    static (inside,outside) tcp 142.x.x.x pptp 10.1.0.100 pptp netmask 255.255.255.255 0 0
    static (inside,outside) tcp 142.x.x.x 23600 10.1.0.100 23600 netmask 255.255.255.255 0 0
    access-group exchange in interface outside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 10.1.0.0 255.255.255.0 inside
    ssh timeout 60
    management-access inside
    console timeout 0
    : end

    Thanks in advance for any help anyone may be able to provide me with.

    Brad
     
    beso, Mar 26, 2008
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michel Hoogervorst

    Disable passive ftp in Mozilla 1.4

    Michel Hoogervorst, Jul 29, 2003, in forum: Firefox
    Replies:
    0
    Views:
    7,326
    Michel Hoogervorst
    Jul 29, 2003
  2. brian

    ftp passive command

    brian, Nov 22, 2003, in forum: Cisco
    Replies:
    0
    Views:
    571
    brian
    Nov 22, 2003
  3. Diego Fernández

    FTP passive problem with PIX 515E

    Diego Fernández, Mar 7, 2006, in forum: Cisco
    Replies:
    5
    Views:
    7,764
    Diego Fernández
    Mar 9, 2006
  4. Arterion
    Replies:
    0
    Views:
    825
    Arterion
    Nov 9, 2007
  5. mabooali
    Replies:
    1
    Views:
    1,928
    bloodpit
    May 21, 2008
Loading...

Share This Page