Port 21 forwarding on PIX 501

Discussion in 'Cisco' started by kennylee88@gmail.com, Sep 16, 2006.

  1. Guest

    Okay guru's

    Can some one tell me if this config is correct? My ftp server
    192.168.1.13 is behind the pix.
    Here's the lines:


    access-list inbound permit tcp any host 192.168.1.13 eq ftp
    static (inside,outside) tcp interface ftp 192.168.1.13 ftp netmask
    255.255.255.255 0 0
    access-group inbound in interface outside


    Anything wrong here? I d/k, I can't get connect from out side. I get
    timed out.
     
    , Sep 16, 2006
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    >Okay guru's


    > Can some one tell me if this config is correct? My ftp server
    >192.168.1.13 is behind the pix.
    >Here's the lines:



    >access-list inbound permit tcp any host 192.168.1.13 eq ftp
    >static (inside,outside) tcp interface ftp 192.168.1.13 ftp netmask 255.255.255.255 0 0
    >access-group inbound in interface outside


    No.

    access-list inbound permit tcp any interface outside eq ftp

    When you apply an access list to an outside interface, the source
    and destination fields should reflect what you would expect to see
    in the incoming packets, -before- any Network Address Translation
    (NAT) has taken place.
     
    Walter Roberson, Sep 16, 2006
    #2
    1. Advertising

  3. Guest

    Thanks Walter for the quick reply,

    So, I need to add this line in my config?

    access-list inbound permit tcp any interface outside eq ftp

    Let me give a try.


    Walter Roberson wrote:
    > In article <>,
    > <> wrote:
    > >Okay guru's

    >
    > > Can some one tell me if this config is correct? My ftp server
    > >192.168.1.13 is behind the pix.
    > >Here's the lines:

    >
    >
    > >access-list inbound permit tcp any host 192.168.1.13 eq ftp
    > >static (inside,outside) tcp interface ftp 192.168.1.13 ftp netmask 255.255.255.255 0 0
    > >access-group inbound in interface outside

    >
    > No.
    >
    > access-list inbound permit tcp any interface outside eq ftp
    >
    > When you apply an access list to an outside interface, the source
    > and destination fields should reflect what you would expect to see
    > in the incoming packets, -before- any Network Address Translation
    > (NAT) has taken place.
     
    , Sep 16, 2006
    #3
  4. Guest

    Okay that work!!
    What if I have another ftp server. How would I config it?


    wrote:
    > Thanks Walter for the quick reply,
    >
    > So, I need to add this line in my config?
    >
    > access-list inbound permit tcp any interface outside eq ftp
    >
    > Let me give a try.
    >
    >
    > Walter Roberson wrote:
    > > In article <>,
    > > <> wrote:
    > > >Okay guru's

    > >
    > > > Can some one tell me if this config is correct? My ftp server
    > > >192.168.1.13 is behind the pix.
    > > >Here's the lines:

    > >
    > >
    > > >access-list inbound permit tcp any host 192.168.1.13 eq ftp
    > > >static (inside,outside) tcp interface ftp 192.168.1.13 ftp netmask 255.255.255.255 0 0
    > > >access-group inbound in interface outside

    > >
    > > No.
    > >
    > > access-list inbound permit tcp any interface outside eq ftp
    > >
    > > When you apply an access list to an outside interface, the source
    > > and destination fields should reflect what you would expect to see
    > > in the incoming packets, -before- any Network Address Translation
    > > (NAT) has taken place.
     
    , Sep 16, 2006
    #4
  5. In article <>,
    <> wrote:

    Please do not "top-post": you should take the material you are
    replying to, trim it down to -just- the part you want to talk
    about, and intermix your questions or comments with the specific
    parts of what you are replying to. Your style of putting the
    answer at the top makes your postings harder to read, and anyone
    who replies to your posting has to manually edit your remarks to
    appear in context in order to produce something that resembles
    a sensible conversation.

    You appear to be using googlegroups, so you might be thinking
    "but people could just scroll up if they wanted to read what was
    posted before". There are, though, many people who use other
    interfaces that do not allow them to easily see the previous
    conversations. In particular, few of the "old hands" (the people who
    are most likely to be able to answer your questions) use googlegroups
    as googlegroups is just too inefficient when you have hundreds of
    messages to read every day.

    >> Walter Roberson wrote:
    >> > access-list inbound permit tcp any interface outside eq ftp


    >Okay that work!!
    >What if I have another ftp server. How would I config it?


    If you only have a single outside interface IP, then you cannot
    configure a second ftp server -- not unless you configure it to
    use a different port. Some ftp clients make it difficult to
    specify an alternate port to connect to.

    To configure another ftp server with a different port on
    the outside PIX interface, then

    static (inside,outside) tcp interface OTHERPORT SECONDHOST 21 netmask 255.255.255.255

    access-list inbound permit tcp any interface outside eq OTHERPORT

    fixup protocol ftp 21 OTHERPORT


    (Note: due to the way that ftp works, although the main connections
    will be to OTHERPORT, there will also be connections to
    the port one lower than that; those connections will automatically
    be allowed for by the PIX, provided that you configure the fixup.
    Just make sure you don't configure OTHERPORT to be immediately
    after something else you are using.
     
    Walter Roberson, Sep 17, 2006
    #5
  6. Guest

    Walter Roberson wrote:
    > In article <>,
    > <> wrote:
    >
    > Please do not "top-post": you should take the material you are
    > replying to, trim it down to -just- the part you want to talk
    > about, and intermix your questions or comments with the specific
    > parts of what you are replying to. Your style of putting the
    > answer at the top makes your postings harder to read, and anyone
    > who replies to your posting has to manually edit your remarks to
    > appear in context in order to produce something that resembles
    > a sensible conversation.
    >
    > You appear to be using googlegroups, so you might be thinking
    > "but people could just scroll up if they wanted to read what was
    > posted before". There are, though, many people who use other
    > interfaces that do not allow them to easily see the previous
    > conversations. In particular, few of the "old hands" (the people who
    > are most likely to be able to answer your questions) use googlegroups
    > as googlegroups is just too inefficient when you have hundreds of
    > messages to read every day.
    >
    > >> Walter Roberson wrote:
    > >> > access-list inbound permit tcp any interface outside eq ftp

    >
    > >Okay that work!!
    > >What if I have another ftp server. How would I config it?

    >
    > If you only have a single outside interface IP, then you cannot
    > configure a second ftp server -- not unless you configure it to
    > use a different port. Some ftp clients make it difficult to
    > specify an alternate port to connect to.
    >
    > To configure another ftp server with a different port on
    > the outside PIX interface, then
    >
    > static (inside,outside) tcp interface OTHERPORT SECONDHOST 21 netmask 255.255.255.255
    >
    > access-list inbound permit tcp any interface outside eq OTHERPORT
    >
    > fixup protocol ftp 21 OTHERPORT
    >
    >
    > (Note: due to the way that ftp works, although the main connections
    > will be to OTHERPORT, there will also be connections to
    > the port one lower than that; those connections will automatically
    > be allowed for by the PIX, provided that you configure the fixup.
    > Just make sure you don't configure OTHERPORT to be immediately
    > after something else you are using.


    Thanks again, I really appreicated for the help!! Thank You!!!
     
    , Sep 17, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kirk Goins

    Port forwarding on a PIX 501 at 6.3

    Kirk Goins, Dec 19, 2003, in forum: Cisco
    Replies:
    5
    Views:
    12,523
  2. Paul Hutchings
    Replies:
    6
    Views:
    5,037
  3. Robert McIntosh

    Port Forwarding and PIX 501

    Robert McIntosh, Sep 2, 2004, in forum: Cisco
    Replies:
    4
    Views:
    4,157
    Walter Roberson
    Sep 4, 2004
  4. Graeme Geldenhuys
    Replies:
    2
    Views:
    4,378
    Graeme Geldenhuys
    Apr 14, 2005
  5. signal
    Replies:
    16
    Views:
    48,899
    crescentvn
    Mar 17, 2008
Loading...

Share This Page