Port 21 forwarding on PIX 501

Discussion in 'Cisco' started by kennylee88, Sep 16, 2006.

  1. kennylee88

    kennylee88 Guest

    Okay guru's

    Can some one tell me if this config is correct? My ftp server
    192.168.1.13 is behind the pix.
    Here's the lines:


    access-list inbound permit tcp any host 192.168.1.13 eq ftp
    static (inside,outside) tcp interface ftp 192.168.1.13 ftp netmask
    255.255.255.255 0 0
    access-group inbound in interface outside


    Anything wrong here? I d/k, I can't get connect from out side. I get
    timed out.
     
    kennylee88, Sep 16, 2006
    #1
    1. Advertisements

  2. No.

    access-list inbound permit tcp any interface outside eq ftp

    When you apply an access list to an outside interface, the source
    and destination fields should reflect what you would expect to see
    in the incoming packets, -before- any Network Address Translation
    (NAT) has taken place.
     
    Walter Roberson, Sep 16, 2006
    #2
    1. Advertisements

  3. kennylee88

    kennylee88 Guest

    Thanks Walter for the quick reply,

    So, I need to add this line in my config?

    access-list inbound permit tcp any interface outside eq ftp

    Let me give a try.
     
    kennylee88, Sep 16, 2006
    #3
  4. kennylee88

    kennylee88 Guest

    Okay that work!!
    What if I have another ftp server. How would I config it?
     
    kennylee88, Sep 16, 2006
    #4
  5. Please do not "top-post": you should take the material you are
    replying to, trim it down to -just- the part you want to talk
    about, and intermix your questions or comments with the specific
    parts of what you are replying to. Your style of putting the
    answer at the top makes your postings harder to read, and anyone
    who replies to your posting has to manually edit your remarks to
    appear in context in order to produce something that resembles
    a sensible conversation.

    You appear to be using googlegroups, so you might be thinking
    "but people could just scroll up if they wanted to read what was
    posted before". There are, though, many people who use other
    interfaces that do not allow them to easily see the previous
    conversations. In particular, few of the "old hands" (the people who
    are most likely to be able to answer your questions) use googlegroups
    as googlegroups is just too inefficient when you have hundreds of
    messages to read every day.
    If you only have a single outside interface IP, then you cannot
    configure a second ftp server -- not unless you configure it to
    use a different port. Some ftp clients make it difficult to
    specify an alternate port to connect to.

    To configure another ftp server with a different port on
    the outside PIX interface, then

    static (inside,outside) tcp interface OTHERPORT SECONDHOST 21 netmask 255.255.255.255

    access-list inbound permit tcp any interface outside eq OTHERPORT

    fixup protocol ftp 21 OTHERPORT


    (Note: due to the way that ftp works, although the main connections
    will be to OTHERPORT, there will also be connections to
    the port one lower than that; those connections will automatically
    be allowed for by the PIX, provided that you configure the fixup.
    Just make sure you don't configure OTHERPORT to be immediately
    after something else you are using.
     
    Walter Roberson, Sep 17, 2006
    #5
  6. kennylee88

    kennylee88 Guest

    Thanks again, I really appreicated for the help!! Thank You!!!
     
    kennylee88, Sep 17, 2006
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.