Unable to ftp to server in DMZ PIX 515e

Good Afternoon,

I have built an apache webserver running on FreeBSD and placed it in the DMZ of our Cisco 515e. I am trying to setup ftp from internal LAN to the server. However, everytime I try to ftp to the server,which resides in our dmz, from the internal network the connection times out. I can SSH to the server without any issues. I can also access the website that the webserver is running via Internet explorer. I can ftp to the server from other servers that are in the dmz. If i put the server on the internal network and re-ip the server it also works fine which tells me it is something in the PIX that is blocking the traffic. I am fairly new to the PIX and not sure what I am doing wrong. Our network is like this. The address of the web server I am trying to ftp to is 192.168.0.11 named websvr1

internet--------Pix------Internal network(128.1.0.0/16) | | DMZ(192.168.0.x/24)

Here is my config:

Building configuration... : Saved : PIX Version 6.3(1) interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full interface ethernet3 auto shutdown interface ethernet4 auto shutdown interface ethernet5 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 intf3 security6 nameif ethernet4 intf4 security8 nameif ethernet5 intf5 security10 enable password MDcKsEiUi/kB2KJ9 encrypted passwd MDcKsEiUi/kB2KJ9 encrypted hostname pix domain-name bmh.org clock timezone EST -5 clock summer-time EDT recurring fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names name 192.168.0.2 www name 192.168.0.4 ems name 192.168.0.6 csg name 128.1.2.103 Mail name 128.1.99.1 n2h2 name 128.1.99.100 Citrix name 128.3.0.20 acs name 64.37.254.214 Healthstream name 128.1.2.18 Madonna name 192.168.0.11 websvr1 access-list internet_access_in deny ip 12.19.228.0 255.255.255.0 any access-list internet_access_in deny ip 200.0.0.0 255.0.0.0 any access-list internet_access_in deny ip 80.0.0.0 255.0.0.0 any access-list internet_access_in permit tcp any host 206.159.159.* eq smtp access-list internet_access_in permit tcp any host 206.159.159.* eq https access-list internet_access_in permit tcp any host 206.159.159.* eq www

access-list internet_access_in permit tcp any host 206.159.159.* eq www

access-list internet_access_in permit tcp any host 206.159.159.* eq https access-list internet_access_in permit tcp any host 206.159.159.* eq citrix-ica access-list internet_access_in permit tcp any host 206.159.159.* eq ftp

access-list internet_access_in permit tcp any host 206.159.159.* eq ftp-data access-list internet_access_in permit tcp any host 206.159.159.* eq www

access-list internet_access_in permit icmp host 206.231.8.55 any echo-reply access-list internet_access_in deny ip any any log access-list 80 permit ip 128.1.0.0 255.255.0.0 192.168.200.0

255.255.255.0 access-list 80 permit ip 128.1.0.0 255.255.0.0 128.100.0.0 255.255.0.0 access-list 80 permit ip 128.1.0.0 255.255.0.0 192.168.201.0 255.255.255.0 access-list 80 permit ip 128.1.0.0 255.255.0.0 192.168.202.0 255.255.255.0 access-list 80 permit ip 128.2.0.0 255.255.0.0 192.168.201.0 255.255.255.0 access-list 80 permit ip 128.3.0.0 255.255.0.0 192.168.201.0 255.255.255.0 access-list 80 permit ip 128.6.0.0 255.255.0.0 192.168.201.0 255.255.255.0 access-list 80 permit ip host 128.2.10.1 150.2.0.0 255.255.0.0 access-list 80 permit ip host 128.2.10.3 150.2.0.0 255.255.0.0 access-list 80 permit ip any 192.168.202.0 255.255.255.224 access-list 80 permit ip host 128.2.2.4 192.68.48.0 255.255.252.0 access-list 80 permit ip host 128.2.2.3 192.68.48.0 255.255.252.0 access-list 80 permit ip host 128.2.2.2 192.68.48.0 255.255.252.0 access-list to-offsite permit ip 128.1.0.0 255.255.0.0 128.100.0.0 255.255.0.0 access-list ge-vpn permit ip host 128.2.10.1 150.2.0.0 255.255.0.0 access-list ge-vpn permit ip host 128.2.10.3 150.2.0.0 255.255.0.0 access-list to-valco permit ip host 128.200.0.100 host 128.6.0.100 access-list dmz2inside permit tcp host csg host Citrix eq www access-list dmz2inside permit tcp host csg host Citrix eq 8081 access-list dmz2inside permit tcp host csg host Citrix eq https access-list dmz2inside permit tcp host csg host Citrix eq citrix-ica access-list dmz2inside permit tcp host csg host Citrix eq 3389 access-list muntz_splitTunnelAcl permit ip 128.1.0.0 255.255.0.0 any access-list muntz_splitTunnelAcl permit ip 128.2.0.0 255.255.0.0 any access-list muntz_splitTunnelAcl permit ip 128.3.0.0 255.255.0.0 any access-list muntz_splitTunnelAcl permit ip 128.6.0.0 255.255.0.0 any access-list muntz_splitTunnelAcl permit ip host 128.2.10.1 any access-list muntz_splitTunnelAcl permit ip host 128.2.10.3 any access-list bmhadmin_splitTunnelAcl permit ip 128.1.0.0 255.255.0.0 any

access-list bmhadmin_splitTunnelAcl permit ip 128.2.0.0 255.255.0.0 any

access-list bmhadmin_splitTunnelAcl permit ip 128.3.0.0 255.255.0.0 any

access-list bmhadmin_splitTunnelAcl permit ip 128.6.0.0 255.255.0.0 any

access-list bmhadmin_splitTunnelAcl permit ip host 128.2.10.1 any access-list bmhadmin_splitTunnelAcl permit ip host 128.2.10.3 any access-list BrooksVPNUsers_splitTunnelAcl permit ip 128.1.0.0

255.255.0.0 any access-list BrooksVPNUsers_splitTunnelAcl permit ip 128.2.0.0 255.255.0.0 any access-list BrooksVPNUsers_splitTunnelAcl permit ip 128.3.0.0 255.255.0.0 any access-list BrooksVPNUsers_splitTunnelAcl permit ip 128.6.0.0 255.255.0.0 any access-list BrooksVPNUsers_splitTunnelAcl permit ip host 128.2.10.1 any

access-list BrooksVPNUsers_splitTunnelAcl permit ip host 128.2.10.3 any

access-list BrooksVPNUsers_splitTunnelAcl permit ip any any access-list outside_cryptomap_dyn_24 permit ip any 192.168.202.0

255.255.255.224 access-list to-phillips permit ip host 128.2.2.2 192.68.48.0 255.255.252.0 access-list to-phillips permit ip host 128.2.2.3 192.68.48.0 255.255.252.0 access-list to-phillips permit ip host 128.2.2.4 192.68.48.0 255.255.252.0 pager lines 24 logging timestamp logging host inside 128.1.200.201 mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu intf3 1500 mtu intf4 1500 mtu intf5 1500 ip address outside 206.159.159.* 255.255.255.* ip address inside 128.6.0.254 255.255.255.0 ip address dmz 192.168.0.1 255.255.255.0 no ip address intf3 no ip address intf4 no ip address intf5 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm ip local pool bmhadmin 192.168.201.10-192.168.201.15 ip local pool bmhusers 192.168.200.10-192.168.200.50 ip local pool reiser 192.168.202.10 ip local pool muntz 192.168.202.11 no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address dmz no failover ip address intf3 no failover ip address intf4 no failover ip address intf5 pdm location 128.1.0.0 255.255.0.0 inside pdm location 128.2.10.1 255.255.255.255 inside pdm location 128.2.10.3 255.255.255.255 inside pdm location 128.100.0.0 255.255.0.0 outside pdm location 150.2.0.0 255.255.0.0 outside pdm location Mail 255.255.255.255 inside pdm location 128.1.2.119 255.255.255.255 inside pdm location n2h2 255.255.255.255 inside pdm location Citrix 255.255.255.255 inside pdm location 128.1.200.200 255.255.255.255 inside pdm location 128.1.200.201 255.255.255.255 inside pdm location 128.2.0.0 255.255.0.0 inside pdm location 128.3.0.2 255.255.255.255 inside pdm location 128.3.0.3 255.255.255.255 inside pdm location acs 255.255.255.255 inside pdm location 128.3.30.1 255.255.255.255 inside pdm location 128.3.0.0 255.255.0.0 inside pdm location 128.6.0.1 255.255.255.255 inside pdm location 128.6.0.5 255.255.255.255 inside pdm location 128.6.0.10 255.255.255.255 inside pdm location 128.6.0.11 255.255.255.255 inside pdm location 128.6.0.100 255.255.255.255 inside pdm location 128.6.0.0 255.255.0.0 inside pdm location www 255.255.255.255 dmz pdm location ems 255.255.255.255 dmz pdm location csg 255.255.255.255 dmz pdm location 12.19.228.0 255.255.255.0 outside pdm location 80.0.0.0 255.0.0.0 outside pdm location 128.1.7.15 255.255.255.255 outside pdm location 128.6.0.100 255.255.255.255 outside pdm location 192.168.200.0 255.255.255.0 outside pdm location 192.168.201.0 255.255.255.0 outside pdm location 192.168.202.0 255.255.255.0 outside pdm location 200.0.0.0 255.0.0.0 outside pdm location 206.231.8.55 255.255.255.255 outside pdm location 192.168.202.0 255.255.255.224 outside pdm location Healthstream 255.255.255.255 outside pdm location 192.68.48.0 255.255.252.0 outside pdm location 128.2.2.2 255.255.255.255 inside pdm location 128.2.2.3 255.255.255.255 inside pdm location 128.2.2.4 255.255.255.255 inside pdm location Madonna 255.255.255.255 inside pdm location websvr1 255.255.255.255 dmz pdm location 128.1.26.12 255.255.255.255 dmz pdm logging debugging 100 pdm history enable arp timeout 14400 global (outside) 1 206.159.159.137-206.159.159.140 global (outside) 1 206.159.159.141 global (dmz) 1 192.168.0.10-192.168.0.20 global (dmz) 1 192.168.0.254 nat (inside) 0 access-list 80 nat (inside) 1 128.3.0.2 255.255.255.255 0 0 nat (inside) 1 128.3.0.3 255.255.255.255 0 0 nat (inside) 1 128.3.30.1 255.255.255.255 0 0 nat (inside) 1 128.6.0.5 255.255.255.255 0 0 nat (inside) 1 128.6.0.10 255.255.255.255 0 0 nat (inside) 1 128.6.0.11 255.255.255.255 0 0 nat (inside) 1 128.1.0.0 255.255.0.0 0 0 nat (dmz) 1 192.168.0.0 255.255.255.0 0 0 static (inside,outside) 206.159.159.130 Mail netmask 255.255.255.255 0 0 static (dmz,outside) 206.159.159.131 www netmask 255.255.255.255 0 0 static (dmz,outside) 206.159.159.133 ems netmask 255.255.255.255 0 0 static (inside,outside) 128.200.0.100 128.6.0.100 netmask 255.255.255.255 0 0 static (outside,inside) 128.201.7.15 128.1.7.15 netmask 255.255.255.255 0 0 static (inside,dmz) Citrix Citrix netmask 255.255.255.255 0 0 static (dmz,outside) 206.159.159.132 csg netmask 255.255.255.255 0 0 static (dmz,outside) 206.159.159.135 websvr1 netmask 255.255.255.255 0 0 access-group internet_access_in in interface outside access-group dmz2inside in interface dmz route outside 0.0.0.0 0.0.0.0 206.159.159.129 1 route inside 128.1.0.0 255.255.0.0 128.6.0.1 1 route inside 128.2.0.0 255.255.0.0 128.6.0.1 1 route inside 128.3.0.0 255.255.0.0 128.6.0.1 1 route outside 192.68.48.0 255.255.252.0 212.159.204.78 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa-server acs protocol tacacs+ aaa-server acs (inside) host acs ecsk7s5a timeout 5 url-server (inside) vendor n2h2 host n2h2 port 4005 timeout 10 protocol TCP aaa authentication telnet console LOCAL aaa authentication enable console LOCAL aaa authentication serial console LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL filter url except 0.0.0.0 0.0.0.0 websvr1 255.255.255.255 filter url except 0.0.0.0 0.0.0.0 www 255.255.255.255 filter url except 0.0.0.0 0.0.0.0 Healthstream 255.255.255.255 filter url except Mail 255.255.255.255 0.0.0.0 0.0.0.0 filter url except 128.1.2.119 255.255.255.255 0.0.0.0 0.0.0.0 filter url except 128.1.200.200 255.255.255.255 0.0.0.0 0.0.0.0 filter url except 128.3.0.2 255.255.255.255 0.0.0.0 0.0.0.0 filter url except 128.1.200.201 255.255.255.255 0.0.0.0 0.0.0.0 filter url except 128.3.0.3 255.255.255.255 0.0.0.0 0.0.0.0 filter url except Madonna 255.255.255.255 0.0.0.0 0.0.0.0 filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate http server enable http *.*.*.* *.*.*.* inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable

telnet 128.1.0.0 255.255.0.0 inside telnet 128.6.0.1 255.255.255.255 inside telnet timeout 5 ssh timeout 60 console timeout 0 username ****** password MSe6wG5kXMTuRFcD encrypted privilege 15 terminal width 80

: end [OK]

Thanks for all your help! Steve Johnson snipped-for-privacy@brookshospital.org

716 363 7302
Reply to
Newbie72
Loading thread data ...

You need to upgrade your software. Upgrade to at least 6.3(4) to get rid of the known security holes; upgrade to 6.3(5) to get a hundred or more bug fixes. Also, since you don't have much PIX 6 experience, you might want to jump directly to PIX 7.1(1).

Anyhow, as best I recall, there were ftp problems in PIX 6.3(1).

[Note: I didn't look at the configuration once I saw the software version.]
Reply to
Walter Roberson

You need to upgrade your software. Upgrade to at least 6.3(4) to get rid of the known security holes; upgrade to 6.3(5) to get a hundred or more bug fixes. Also, since you don't have much PIX 6 experience, you might want to jump directly to PIX 7.1(1).

Anyhow, as best I recall, there were ftp problems in PIX 6.3(1).

[Note: I didn't look at the configuration once I saw the software version.]

Are there any problems I should be aware of when upgrading? Will it over write any of my current configuration? About how long do you think it will take?

Steve Johnson Network Administrator

Reply to
Newbie72

In article , Newbie72 wrote: [without attribution or quotation indicator] [I wrote]

No, it's usually a very smooth process. About the only exception I have found is if your configuration is really pushing the memory usage limit: in that case, the difference in image sizes can take you over the edge into problems you would have run into eventually.

Yes. There are a small number of new facilities introduced along the way in 6.3(*), so the PIX will create new configuration lines for those.

When you upgrade PIX versions, it is always a good idea to first save your configuration to a tftp server, then do the upgrade, then reboot (as part of the upgrade), then "write memory" to get the automatic changes saved into memory, then save that new configuration to a different file on the tftp server, then compare the two configuration files in case of surprises.

The actual upgrade part is less than 5 minutes. Preparing the tftp server (if you don't have one already) and cross-checking the new configuration "just in case" will take time dependant on the complexity of your configuration and your knowledge of PIX.

If I recall correctly, somewhere around 6.3(3), the PIX moves a few lines much further up in the configuration file than was the case before. If you have a good visual file comparison tool such as "xdiff" then the movement of the line becomes obvious and clearly nothing to worry about; but if you are trying to manually go through line by line without a good comparison tool then this movement of lines might confuse at first.

Reply to
Walter Roberson

I put a call into Cisco on this issue... we have a support contract.... I have also downloaded the conversion guide. Cisco says all Pix 515e UR licensed devices need to be upgraded to 128M of ram to run 7.0. I also see once I upgrade to 7.0 I can upgrade the PDM software and use more updated versions of VM. I have ordered the stick. Hopefully I can fix this without doing the updgrade first and then I will upgrade after it is working. Otherwise sometime next week i will have schedule some after hours downtime.....

Thanks,

Steve

Reply to
Newbie72

In article , Newbie72 wrote: [quoting me without attribution]

Sorry, my earlier answer about 5 minutes and minimal changes applied for an upgrade within PIX 6.3, such as to PIX 6.3(5).

Upgrades to PIX 7.0 or PIX 7.1 will result in a major rewrite of the configuration file. I would not recommend going from 6.3(1) to 7.x on a production firewall without a lab-test first. (Which is often difficult to schedule if it is your only firewall...)

Reply to
Walter Roberson

Upgrades to PIX 7.0 or PIX 7.1 will result in a major rewrite of the configuration file. I would not recommend going from 6.3(1) to 7.x on a production firewall without a lab-test first. (Which is often difficult to schedule if it is your only firewall...)

Unfortunately this is my only pix. I have read a fair amount of the guide to upgrade to 7.x. I saw where it changes a significant amount of commainds as well as the config. Thanks for the advise.

Steve

Reply to
Newbie72

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.