Good Afternoon,
I have built an apache webserver running on FreeBSD and placed it in the DMZ of our Cisco 515e. I am trying to setup ftp from internal LAN to the server. However, everytime I try to ftp to the server,which resides in our dmz, from the internal network the connection times out. I can SSH to the server without any issues. I can also access the website that the webserver is running via Internet explorer. I can ftp to the server from other servers that are in the dmz. If i put the server on the internal network and re-ip the server it also works fine which tells me it is something in the PIX that is blocking the traffic. I am fairly new to the PIX and not sure what I am doing wrong. Our network is like this. The address of the web server I am trying to ftp to is 192.168.0.11 named websvr1
internet--------Pix------Internal network(128.1.0.0/16) | | DMZ(192.168.0.x/24)
Here is my config:
Building configuration... : Saved : PIX Version 6.3(1) interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full interface ethernet3 auto shutdown interface ethernet4 auto shutdown interface ethernet5 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 intf3 security6 nameif ethernet4 intf4 security8 nameif ethernet5 intf5 security10 enable password MDcKsEiUi/kB2KJ9 encrypted passwd MDcKsEiUi/kB2KJ9 encrypted hostname pix domain-name bmh.org clock timezone EST -5 clock summer-time EDT recurring fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names name 192.168.0.2 www name 192.168.0.4 ems name 192.168.0.6 csg name 128.1.2.103 Mail name 128.1.99.1 n2h2 name 128.1.99.100 Citrix name 128.3.0.20 acs name 64.37.254.214 Healthstream name 128.1.2.18 Madonna name 192.168.0.11 websvr1 access-list internet_access_in deny ip 12.19.228.0 255.255.255.0 any access-list internet_access_in deny ip 200.0.0.0 255.0.0.0 any access-list internet_access_in deny ip 80.0.0.0 255.0.0.0 any access-list internet_access_in permit tcp any host 206.159.159.* eq smtp access-list internet_access_in permit tcp any host 206.159.159.* eq https access-list internet_access_in permit tcp any host 206.159.159.* eq www
access-list internet_access_in permit tcp any host 206.159.159.* eq www
access-list internet_access_in permit tcp any host 206.159.159.* eq https access-list internet_access_in permit tcp any host 206.159.159.* eq citrix-ica access-list internet_access_in permit tcp any host 206.159.159.* eq ftp
access-list internet_access_in permit tcp any host 206.159.159.* eq ftp-data access-list internet_access_in permit tcp any host 206.159.159.* eq www
access-list internet_access_in permit icmp host 206.231.8.55 any echo-reply access-list internet_access_in deny ip any any log access-list 80 permit ip 128.1.0.0 255.255.0.0 192.168.200.0
255.255.255.0 access-list 80 permit ip 128.1.0.0 255.255.0.0 128.100.0.0 255.255.0.0 access-list 80 permit ip 128.1.0.0 255.255.0.0 192.168.201.0 255.255.255.0 access-list 80 permit ip 128.1.0.0 255.255.0.0 192.168.202.0 255.255.255.0 access-list 80 permit ip 128.2.0.0 255.255.0.0 192.168.201.0 255.255.255.0 access-list 80 permit ip 128.3.0.0 255.255.0.0 192.168.201.0 255.255.255.0 access-list 80 permit ip 128.6.0.0 255.255.0.0 192.168.201.0 255.255.255.0 access-list 80 permit ip host 128.2.10.1 150.2.0.0 255.255.0.0 access-list 80 permit ip host 128.2.10.3 150.2.0.0 255.255.0.0 access-list 80 permit ip any 192.168.202.0 255.255.255.224 access-list 80 permit ip host 128.2.2.4 192.68.48.0 255.255.252.0 access-list 80 permit ip host 128.2.2.3 192.68.48.0 255.255.252.0 access-list 80 permit ip host 128.2.2.2 192.68.48.0 255.255.252.0 access-list to-offsite permit ip 128.1.0.0 255.255.0.0 128.100.0.0 255.255.0.0 access-list ge-vpn permit ip host 128.2.10.1 150.2.0.0 255.255.0.0 access-list ge-vpn permit ip host 128.2.10.3 150.2.0.0 255.255.0.0 access-list to-valco permit ip host 128.200.0.100 host 128.6.0.100 access-list dmz2inside permit tcp host csg host Citrix eq www access-list dmz2inside permit tcp host csg host Citrix eq 8081 access-list dmz2inside permit tcp host csg host Citrix eq https access-list dmz2inside permit tcp host csg host Citrix eq citrix-ica access-list dmz2inside permit tcp host csg host Citrix eq 3389 access-list muntz_splitTunnelAcl permit ip 128.1.0.0 255.255.0.0 any access-list muntz_splitTunnelAcl permit ip 128.2.0.0 255.255.0.0 any access-list muntz_splitTunnelAcl permit ip 128.3.0.0 255.255.0.0 any access-list muntz_splitTunnelAcl permit ip 128.6.0.0 255.255.0.0 any access-list muntz_splitTunnelAcl permit ip host 128.2.10.1 any access-list muntz_splitTunnelAcl permit ip host 128.2.10.3 any access-list bmhadmin_splitTunnelAcl permit ip 128.1.0.0 255.255.0.0 anyaccess-list bmhadmin_splitTunnelAcl permit ip 128.2.0.0 255.255.0.0 any
access-list bmhadmin_splitTunnelAcl permit ip 128.3.0.0 255.255.0.0 any
access-list bmhadmin_splitTunnelAcl permit ip 128.6.0.0 255.255.0.0 any
access-list bmhadmin_splitTunnelAcl permit ip host 128.2.10.1 any access-list bmhadmin_splitTunnelAcl permit ip host 128.2.10.3 any access-list BrooksVPNUsers_splitTunnelAcl permit ip 128.1.0.0
255.255.0.0 any access-list BrooksVPNUsers_splitTunnelAcl permit ip 128.2.0.0 255.255.0.0 any access-list BrooksVPNUsers_splitTunnelAcl permit ip 128.3.0.0 255.255.0.0 any access-list BrooksVPNUsers_splitTunnelAcl permit ip 128.6.0.0 255.255.0.0 any access-list BrooksVPNUsers_splitTunnelAcl permit ip host 128.2.10.1 anyaccess-list BrooksVPNUsers_splitTunnelAcl permit ip host 128.2.10.3 any
access-list BrooksVPNUsers_splitTunnelAcl permit ip any any access-list outside_cryptomap_dyn_24 permit ip any 192.168.202.0
255.255.255.224 access-list to-phillips permit ip host 128.2.2.2 192.68.48.0 255.255.252.0 access-list to-phillips permit ip host 128.2.2.3 192.68.48.0 255.255.252.0 access-list to-phillips permit ip host 128.2.2.4 192.68.48.0 255.255.252.0 pager lines 24 logging timestamp logging host inside 128.1.200.201 mtu outside 1500 mtu inside 1500 mtu dmz 1500 mtu intf3 1500 mtu intf4 1500 mtu intf5 1500 ip address outside 206.159.159.* 255.255.255.* ip address inside 128.6.0.254 255.255.255.0 ip address dmz 192.168.0.1 255.255.255.0 no ip address intf3 no ip address intf4 no ip address intf5 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm ip local pool bmhadmin 192.168.201.10-192.168.201.15 ip local pool bmhusers 192.168.200.10-192.168.200.50 ip local pool reiser 192.168.202.10 ip local pool muntz 192.168.202.11 no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address dmz no failover ip address intf3 no failover ip address intf4 no failover ip address intf5 pdm location 128.1.0.0 255.255.0.0 inside pdm location 128.2.10.1 255.255.255.255 inside pdm location 128.2.10.3 255.255.255.255 inside pdm location 128.100.0.0 255.255.0.0 outside pdm location 150.2.0.0 255.255.0.0 outside pdm location Mail 255.255.255.255 inside pdm location 128.1.2.119 255.255.255.255 inside pdm location n2h2 255.255.255.255 inside pdm location Citrix 255.255.255.255 inside pdm location 128.1.200.200 255.255.255.255 inside pdm location 128.1.200.201 255.255.255.255 inside pdm location 128.2.0.0 255.255.0.0 inside pdm location 128.3.0.2 255.255.255.255 inside pdm location 128.3.0.3 255.255.255.255 inside pdm location acs 255.255.255.255 inside pdm location 128.3.30.1 255.255.255.255 inside pdm location 128.3.0.0 255.255.0.0 inside pdm location 128.6.0.1 255.255.255.255 inside pdm location 128.6.0.5 255.255.255.255 inside pdm location 128.6.0.10 255.255.255.255 inside pdm location 128.6.0.11 255.255.255.255 inside pdm location 128.6.0.100 255.255.255.255 inside pdm location 128.6.0.0 255.255.0.0 inside pdm location www 255.255.255.255 dmz pdm location ems 255.255.255.255 dmz pdm location csg 255.255.255.255 dmz pdm location 12.19.228.0 255.255.255.0 outside pdm location 80.0.0.0 255.0.0.0 outside pdm location 128.1.7.15 255.255.255.255 outside pdm location 128.6.0.100 255.255.255.255 outside pdm location 192.168.200.0 255.255.255.0 outside pdm location 192.168.201.0 255.255.255.0 outside pdm location 192.168.202.0 255.255.255.0 outside pdm location 200.0.0.0 255.0.0.0 outside pdm location 206.231.8.55 255.255.255.255 outside pdm location 192.168.202.0 255.255.255.224 outside pdm location Healthstream 255.255.255.255 outside pdm location 192.68.48.0 255.255.252.0 outside pdm location 128.2.2.2 255.255.255.255 inside pdm location 128.2.2.3 255.255.255.255 inside pdm location 128.2.2.4 255.255.255.255 inside pdm location Madonna 255.255.255.255 inside pdm location websvr1 255.255.255.255 dmz pdm location 128.1.26.12 255.255.255.255 dmz pdm logging debugging 100 pdm history enable arp timeout 14400 global (outside) 1 206.159.159.137-206.159.159.140 global (outside) 1 206.159.159.141 global (dmz) 1 192.168.0.10-192.168.0.20 global (dmz) 1 192.168.0.254 nat (inside) 0 access-list 80 nat (inside) 1 128.3.0.2 255.255.255.255 0 0 nat (inside) 1 128.3.0.3 255.255.255.255 0 0 nat (inside) 1 128.3.30.1 255.255.255.255 0 0 nat (inside) 1 128.6.0.5 255.255.255.255 0 0 nat (inside) 1 128.6.0.10 255.255.255.255 0 0 nat (inside) 1 128.6.0.11 255.255.255.255 0 0 nat (inside) 1 128.1.0.0 255.255.0.0 0 0 nat (dmz) 1 192.168.0.0 255.255.255.0 0 0 static (inside,outside) 206.159.159.130 Mail netmask 255.255.255.255 0 0 static (dmz,outside) 206.159.159.131 www netmask 255.255.255.255 0 0 static (dmz,outside) 206.159.159.133 ems netmask 255.255.255.255 0 0 static (inside,outside) 128.200.0.100 128.6.0.100 netmask 255.255.255.255 0 0 static (outside,inside) 128.201.7.15 128.1.7.15 netmask 255.255.255.255 0 0 static (inside,dmz) Citrix Citrix netmask 255.255.255.255 0 0 static (dmz,outside) 206.159.159.132 csg netmask 255.255.255.255 0 0 static (dmz,outside) 206.159.159.135 websvr1 netmask 255.255.255.255 0 0 access-group internet_access_in in interface outside access-group dmz2inside in interface dmz route outside 0.0.0.0 0.0.0.0 206.159.159.129 1 route inside 128.1.0.0 255.255.0.0 128.6.0.1 1 route inside 128.2.0.0 255.255.0.0 128.6.0.1 1 route inside 128.3.0.0 255.255.0.0 128.6.0.1 1 route outside 192.68.48.0 255.255.252.0 212.159.204.78 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa-server acs protocol tacacs+ aaa-server acs (inside) host acs ecsk7s5a timeout 5 url-server (inside) vendor n2h2 host n2h2 port 4005 timeout 10 protocol TCP aaa authentication telnet console LOCAL aaa authentication enable console LOCAL aaa authentication serial console LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL filter url except 0.0.0.0 0.0.0.0 websvr1 255.255.255.255 filter url except 0.0.0.0 0.0.0.0 www 255.255.255.255 filter url except 0.0.0.0 0.0.0.0 Healthstream 255.255.255.255 filter url except Mail 255.255.255.255 0.0.0.0 0.0.0.0 filter url except 128.1.2.119 255.255.255.255 0.0.0.0 0.0.0.0 filter url except 128.1.200.200 255.255.255.255 0.0.0.0 0.0.0.0 filter url except 128.3.0.2 255.255.255.255 0.0.0.0 0.0.0.0 filter url except 128.1.200.201 255.255.255.255 0.0.0.0 0.0.0.0 filter url except 128.3.0.3 255.255.255.255 0.0.0.0 0.0.0.0 filter url except Madonna 255.255.255.255 0.0.0.0 0.0.0.0 filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate http server enable http *.*.*.* *.*.*.* inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enabletelnet 128.1.0.0 255.255.0.0 inside telnet 128.6.0.1 255.255.255.255 inside telnet timeout 5 ssh timeout 60 console timeout 0 username ****** password MSe6wG5kXMTuRFcD encrypted privilege 15 terminal width 80
: end [OK]
Thanks for all your help! Steve Johnson snipped-for-privacy@brookshospital.org
716 363 7302