FTP through PIX DMZ

Discussion in 'Cisco' started by Peter, Aug 24, 2004.

  1. Peter

    Peter Guest

    I have recently reconfigured my network to move all my Internet facing
    hosts from the core network to a DMZ subnet connected through my PIX
    firewall.

    Following the move all my services (web servers, Exhcange mail,
    Exchange conferencing) are working as normal. However, the FTP server
    refuses point blank to work.

    The server is hosted on a Windows 2000 Server and was working
    perfectly prior to the move. If accessed from inside the firewall, it
    works as expected. Clients outside the firewall can connect to the
    server, and login. They are unable to retrieve the directory listing
    or any files etc.

    The ftp server does attempt to initiate the outbound connection, as I
    can see the packet arriving on the PIX. It doesn't seem to be
    forwarded however.

    There is no access list filtering traffic leaving the DMZ.
    There is a static mapping from the real to the internal ftp server
    address.
    NAT does not take place between the inside & DMZ.
    The fixup service for FTP is enabled.

    Everything looks right as far as I can see, but it just won't work.
    Does anyone have any ideas, or know of any gotchas with this kind of
    setup?

    Thanks in advance for your help,

    Peter

    As an aside, as I don't really want to go this route, I tried forcing
    an FTP client to use passive mode ftp, but this also failed. To use
    this would I need to open the ftp data port inbound on the PIX also?

    name FTP 1.2.3.4
    static (DMZ,outside) FTP 10.1.1.6 netmask 255.255.255.255 0 0
    access-list dmz permit ip any any
    access-list outside-dmz permit tcp any host FTP eq ftp
    access-group dmz in int DMZ
    access-group outside-dmz in int outside
     
    Peter, Aug 24, 2004
    #1
    1. Advertising

  2. In article <>,
    Peter <> wrote:
    :The server is hosted on a Windows 2000 Server and was working
    :perfectly prior to the move. If accessed from inside the firewall, it
    :works as expected. Clients outside the firewall can connect to the
    :server, and login. They are unable to retrieve the directory listing
    :eek:r any files etc.

    I suggest you turn your syslog level up to maximum, make sure you
    haven't turned off any of the IDS messages, and see whether the
    syslog shows any complaints when you attempt the access. Complaints
    such as the port or IP address being incorrect.

    If you are running a recent PIX version, 'capture' the return
    packets and examine them in detail.

    At last resort, you could try 'debug fixup', but if your network
    is active, that's going to give you too much data to deal with.
    --
    I was very young in those days, but I was also rather dim.
    -- Christopher Priest
     
    Walter Roberson, Aug 24, 2004
    #2
    1. Advertising

  3. Peter

    Samjack Guest

    Your config mentions FTP but what about ftp-data? FTP uses both 20 and 21.

    "Peter" <> wrote in message
    news:...
    >I have recently reconfigured my network to move all my Internet facing
    > hosts from the core network to a DMZ subnet connected through my PIX
    > firewall.
    >
    > Following the move all my services (web servers, Exhcange mail,
    > Exchange conferencing) are working as normal. However, the FTP server
    > refuses point blank to work.
    >
    > The server is hosted on a Windows 2000 Server and was working
    > perfectly prior to the move. If accessed from inside the firewall, it
    > works as expected. Clients outside the firewall can connect to the
    > server, and login. They are unable to retrieve the directory listing
    > or any files etc.
    >
    > The ftp server does attempt to initiate the outbound connection, as I
    > can see the packet arriving on the PIX. It doesn't seem to be
    > forwarded however.
    >
    > There is no access list filtering traffic leaving the DMZ.
    > There is a static mapping from the real to the internal ftp server
    > address.
    > NAT does not take place between the inside & DMZ.
    > The fixup service for FTP is enabled.
    >
    > Everything looks right as far as I can see, but it just won't work.
    > Does anyone have any ideas, or know of any gotchas with this kind of
    > setup?
    >
    > Thanks in advance for your help,
    >
    > Peter
    >
    > As an aside, as I don't really want to go this route, I tried forcing
    > an FTP client to use passive mode ftp, but this also failed. To use
    > this would I need to open the ftp data port inbound on the PIX also?
    >
    > name FTP 1.2.3.4
    > static (DMZ,outside) FTP 10.1.1.6 netmask 255.255.255.255 0 0
    > access-list dmz permit ip any any
    > access-list outside-dmz permit tcp any host FTP eq ftp
    > access-group dmz in int DMZ
    > access-group outside-dmz in int outside
     
    Samjack, Aug 28, 2004
    #3
  4. In article <tsPXc.117$>,
    Samjack <> wrote:
    :Your config mentions FTP but what about ftp-data? FTP uses both 20 and 21.

    The PIX ftp fixup knows about port 20.
    --
    So you found your solution
    What will be your last contribution?
    -- Supertramp (Fool's Overture)
     
    Walter Roberson, Aug 28, 2004
    #4
  5. Peter

    Dominic Guest

    -cnrc.gc.ca (Walter Roberson) wrote in message news:<cgorb9$gnc$>...
    > In article <tsPXc.117$>,
    > Samjack <> wrote:
    > :Your config mentions FTP but what about ftp-data? FTP uses both 20 and 21.
    >
    > The PIX ftp fixup knows about port 20.


    Hi guys,

    Make sure that the client use FTP Normal mode. Some broadband router
    have difficulty to use FTP Passv mode.

    Try it... !!
    Dominic
     
    Dominic, Sep 21, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Roland
    Replies:
    3
    Views:
    714
    Roland
    Jan 21, 2004
  2. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,965
    Walter Roberson
    Sep 25, 2005
  3. Replies:
    2
    Views:
    655
  4. Replies:
    1
    Views:
    593
    Lutz Donnerhacke
    Sep 13, 2007
  5. Jack
    Replies:
    0
    Views:
    737
Loading...

Share This Page