problem with ftp on pix

Discussion in 'Cisco' started by toetie, May 19, 2007.

  1. toetie

    toetie

    Joined:
    May 19, 2007
    Messages:
    1
    Likes Received:
    0
    HI,

    I recently places a pix for our internet connection.
    we offer several services to the public side from 1 server, so i had to use policy nating. But I can't make the ftp server to work, all other nattings are working fine.

    ftp internal address is 192.168.1.209
    outside address is 62.58.98.197

    here's my config

    PIX Version 7.0(2)
    names
    !
    interface Ethernet0
    description Internet
    nameif outside
    security-level 0
    ip address 62.58.98.250 255.255.255.192
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 172.16.0.2 255.255.255.248
    !
    interface Ethernet2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet4
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet5
    shutdown
    no nameif
    no security-level
    no ip address
    !
    enable password 9zCPmdXPrBhv12Re encrypted
    passwd VoYC.5p8zF3408tl encrypted
    hostname besnk-fw
    domain-name newtec.be
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    access-list acl_out extended permit icmp any any
    access-list acl_out extended permit tcp any host 62.58.98.194 eq smtp
    access-list acl_out extended permit tcp any host 62.58.98.196 eq smtp
    access-list acl_out extended permit tcp any host 62.58.98.220 eq smtp
    access-list acl_out extended permit tcp any host 62.58.98.220 eq https
    access-list acl_out extended permit tcp any host 62.58.98.195 eq https
    access-list acl_out extended permit tcp any host 62.58.98.201 eq www
    access-list acl_out extended permit ip any host 62.58.98.197
    access-list acl_in extended permit tcp host 192.168.1.209 any eq smtp
    access-list acl_in extended permit tcp host 192.168.1.244 any eq smtp
    access-list acl_in extended deny tcp any any eq smtp
    access-list acl_in extended permit ip any any
    access-list acl_in extended permit icmp any any
    access-list policy_nat_mail194 extended permit tcp host 192.168.1.209 eq smtp any
    access-list policy_nat_bugzilla extended permit ip host 192.168.1.244 any
    access-list policy_nat_mail196 extended permit tcp host 192.168.1.209 eq smtp any
    access-list policy_nat_ftpnewtec5 extended permit tcp host 192.168.1.209 eq ftp any
    access-list policy_nat_web extended permit ip host 192.168.1.243 any
    access-list policy_nat_webmail extended permit tcp host 192.168.1.209 eq https any
    access-list policy_nat_mailhost extended permit tcp host 192.168.1.209 any eq smtp
    pager lines 24
    logging enable
    logging timestamp
    logging buffer-size 64000
    logging monitor errors
    logging buffered warnings
    logging history informational
    mtu outside 1500
    mtu inside 1500
    no failover
    monitor-interface outside
    monitor-interface inside
    asdm image flash:/asdm
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 62.58.98.250
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp 62.58.98.194 smtp access-list policy_nat_mail194
    static (inside,outside) tcp 62.58.98.196 smtp access-list policy_nat_mail196
    static (inside,outside) tcp 62.58.98.195 https access-list policy_nat_webmail
    static (inside,outside) tcp 62.58.98.197 ftp access-list policy_nat_ftpnewtec5
    static (inside,outside) 62.58.98.201 access-list policy_nat_web
    static (inside,outside) 62.58.98.220 access-list policy_nat_bugzilla
    access-group acl_out in interface outside
    access-group acl_in in interface inside
    route outside 0.0.0.0 0.0.0.0 62.58.98.193 1
    route inside 192.168.0.0 255.255.0.0 172.16.0.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    username rpanis password xxxx privilege 15
    username fdoisneau password xxxx privilege 15
    username kulrix password bxxxx privilege 15
    aaa authentication http console LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    snmp-server location Gebouw A
    snmp-server contact "NTC ICT Engineering"
    snmp-server community newtec
    snmp-server enable traps snmp
    telnet timeout 5
    ssh 192.168.0.0 255.255.0.0 inside
    ssh timeout 30
    ssh version 2
    console timeout 0
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect icmp
    !
    service-policy global_policy global
    ntp server 192.168.1.242 source inside prefer
    smtp-server 192.168.1.209
    management-access inside


    here's an output of debug fixup tcp

    sftp: (192.168.1.209/21 <- 81.83.138.95/3421)
    sftp: ack 0
    adj_seq: seq = 3805431350, offset 0, alpha 0, beta 0
    adj_seq: ack = 0, offset 0, alpha 0, beta 0
    sftp: (192.168.1.209/21 -> 81.83.138.95/3421)
    sftp: ack 3805431351
    adj_seq: seq = 3777732464, offset 0, alpha 0, beta 0
    adj_seq: ack = 3805431351, offset 0, alpha 0, beta 0
    sftp: (192.168.1.209/21 <- 81.83.138.95/3421)
    sftp: ack 3777732465
    adj_seq: seq = 3805431351, offset 0, alpha 0, beta 0
    adj_seq: ack = 3777732465, offset 0, alpha 0, beta 0
    sftp: (192.168.1.209/21 -> 81.83.138.95/3421)
    adj_seq: seq = 3777732465, offset 0, alpha 0, beta 0
    adj_seq: ack = 3805431351, offset 0, alpha 0, beta 0
    sftp: (192.168.1.209/21 <- 81.83.138.95/3421)
    adj_seq: seq = 3805431351, offset 0, alpha 0, beta 0
    adj_seq: ack = 3777732497, offset 0, alpha 0, beta 0
    sftp: (192.168.1.209/21 -> 81.83.138.95/3421)
    adj_seq: seq = 3777732497, offset 0, alpha 0, beta 0
    adj_seq: ack = 3805431367, offset 0, alpha 0, beta 0
    sftp: (192.168.1.209/21 <- 81.83.138.95/3421)
    adj_seq: seq = 3805431367, offset 0, alpha 0, beta 0
    adj_seq: ack = 3777732530, offset 0, alpha 0, beta 0
    sftp: (192.168.1.209/21 -> 81.83.138.95/3421)
    adj_seq: seq = 3777732530, offset 0, alpha 0, beta 0
    adj_seq: ack = 3805431393, offset 0, alpha 0, beta 0
    sftp: (192.168.1.209/21 <- 81.83.138.95/3421)
    adj_seq: seq = 3805431393, offset 0, alpha 0, beta 0
    adj_seq: ack = 3777732573, offset 0, alpha 0, beta 0
    sftp: (192.168.1.209/21 -> 81.83.138.95/3421)
    adj_seq: seq = 3777732573, offset 0, alpha 0, beta 0
    adj_seq: ack = 3805431399, offset 0, alpha 0, beta 0
    sftp: (192.168.1.209/21 <- 81.83.138.95/3421)
    get_ftp_cmd: WARN: command length 5
    adj_seq: seq = 3805431399, offset 0, alpha 0, beta 0
    adj_seq: ack = 3777732595, offset 0, alpha 0, beta 0
    sftp: (192.168.1.209/21 -> 81.83.138.95/3421)
    adj_seq: seq = 3777732595, offset 0, alpha 0, beta 0
    adj_seq: ack = 3805431404, offset 0, alpha 0, beta 0
    sftp: (192.168.1.209/21 <- 81.83.138.95/3421)
    adj_seq: seq = 3805431404, offset 0, alpha 0, beta 0
    adj_seq: ack = 3777732625, offset 0, alpha 0, beta 0
    sftp: (192.168.1.209/21 -> 81.83.138.95/3421)
    adj_seq: seq = 3777732625, offset 0, alpha 0, beta 0
    adj_seq: ack = 3805431412, offset 0, alpha 0, beta 0
    sftp: (192.168.1.209/21 <- 81.83.138.95/3421)
    adj_seq: seq = 3805431412, offset 0, alpha 0, beta 0
    adj_seq: ack = 3777732648, offset 0, alpha 0, beta 0
    sftp: (192.168.1.209/21 -> 81.83.138.95/3421)
    reply: nating pasv reply
    ftp-nat: data port 10063 intercepted
    ftp-nat: PAT port is 10063
    ftp-nat: post-NAT data socket (62.58.98.197, 10063)
    sftp-back-channel: require-port, lport=20263 fport = 0
    cmd: back connection allocated

    I also got a denied packet to the port fixup should have opened
    May 19 2007 21:38:21: %PIX-2-106001: Inbound TCP connection denied from 81.83.138.95/3422 to 62.58.98.197/10063 flags SYN on interface outside


    can anybody help me out with this please ?
     
    toetie, May 19, 2007
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.