Help with internal FTP server on Cisco Pix 506E

object-group FTP_group

That is only going to match if the source port is 21 and the destination port is 21. Take out the first object-group FTP_group

Notice that that second line has a different access list name. It is therefore not part of the outside_access_in as might be implied by the remark directly above.

Changing the ACL name will help, as the reference is to the *internal* host IP, but ACLs applied to the outside interface must refer to the *public* host IP.

Besides, once the FTP_group line is fixed this other line will be redundant. Just remove it -- there are some other reasons not to try to salvage it.

That's a NAT configuration, not a PAT configuration. And in PIX 6.x, you cannot NAT the outside IP address by IP number.

static (inside,outside) tcp interface ftp Canal ftp netmask 255.255.255.255 0 0

Those last two route statements are wrong and should be removed.

Your DHCP pool overlaps with your definition of host Canal, which is going to cause problems for you.

Walter --

OK, I've made the following changes (and I'm obviously missing something here: [Reminder, I want to have the firewall route/allow to my internal FTP server (which gets it's DHCP from the firewall, max lease time; and also now add an internal web server also routeable from the Outside).

Maybe someone has an example setup working for their internal FTP or Web Servers routable and accessible to the outside?

Mucho thanks to anyone who can help; I sort of work on this in spurts as I can break away from other things.

pixfirewall(config)# write terminal Building configuration... : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password XXXXXXXXXXXX encrypted passwd YYYYYYYYYYYYYYYYYYY encrypted hostname pixfirewall domain-name vitalmedianet.com clock timezone GMT/BST 0 clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.1.21 Canal object-group service SSH_group tcp port-object eq ssh access-list outside_access_in remark SSH access-list outside_access_in permit tcp any object-group SSH_group any object-group SSH_group

#I had access-list stuff added for FTP, as above for SSH, didn't work

pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 75.7.239.233 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location Canal 255.255.255.255 outside pdm location 75.7.239.233 255.255.255.255 inside pdm location Canal 255.255.255.255 inside pdm location 192.168.1.11 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0

# Why won't this route work? static (inside,outside) tcp 75.7.239.233 ftp Canal ftp netmask

255.255.255.255 0 0 static (inside,outside) tcp 75.7.239.233 www 192.168.1.11 www netmask 255.255.255.255 0 0 #obviously missing something

access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 75.7.239.238 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 inside dhcpd dns 206.13.29.12 206.13.30.12 dhcpd lease 1048575 dhcpd ping_timeout 750 dhcpd enable inside

... [OK] pixfirewall(config)#

Walter Robers> > >I have an internal (192.168.1.x) server that is hosting FTP. Works fine > >internally.

object-group FTP_group

You cannot do that with a PIX 506E unless the DHCP pool is exactly one address wide and that host is the *only* host getting its address from the DHCP pool -- not unless the addresses in the DHCP pool are public IP addresses and you permit telnet to *all* of them.

There is no mechanism in PIX 6.x DHCP to reserve a particular IP for a particular MAC address (host), so the internal FTP server might be given any address in the pool. There is no mechanism in PIX 6.x to associate a static external address (or port on the interface IP) with a particular internal MAC, so if you want to be able to ftp to the server from outside, every IP in the DHCP pool must static'd (or nat 0 access-list) or every IP in the DHCP pool must be port forwarded via a different external port.

If you want a host to be a server accessible from outside the PIX, you should ensure that it has a fixed IP address. PIX 6.x DHCP cannot provide that for you (except in the trivial single-address-pool case.)

Walter that part I got.

Since I'm going to be managing the system anyway, I set the lease time to max amount (I think it's something like 200 days or so), and if need be I'll just change the routing in the Pix to route to the new IP anyway when the lease rolls over around 6 mos or so.

It's a small office, fairly "flat" in heirarchy; so I need DHCP internally, if need be I can set manual IPs outside a specified range etc.

I'm OK with kludging either way. What I'm having difficulty with is my static route and access list are not allowing FTP or WWW access (I can SSH to my outside box and use Lynx or FTP to connect to other sites but not my external IP):

[ANY suggestions here greatly appreciated]

pixfirewall# write terminal Building configuration... : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password NNNNNNNNNNNNNN encrypted passwd NNNNNNNNNNNNNNNNNNN encrypted hostname pixfirewall domain-name vitalmedianet.com clock timezone GMT/BST 0 clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 192.168.1.21 Canal object-group service SSH_group tcp port-object eq ssh

;Yeah I know, "any any" is bad practice, however even wide open ;here is not working. What gives? access-list Inbound permit tcp any any eq www access-list Inbound permit tcp any any eq ftp

pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 75.7.239.233 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location Canal 255.255.255.255 outside pdm location 75.7.239.233 255.255.255.255 inside pdm location 192.168.1.0 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0

; shouldn't these work? static (inside,outside) tcp interface www 192.168.1.11 www netmask

255.255.255.255 0 0 static (inside,outside) tcp interface ftp Canal ftp netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 75.7.239.238 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 inside dhcpd dns 206.13.29.12 206.13.30.12 dhcpd lease 1048575 dhcpd ping_timeout 750 dhcpd enable inside username admin password NNNNNNNNNNNNNNN encrypted privilege 15 username floyd password NNNNNNNNNNNNNNNNNNNNNNN encrypted privilege 15 terminal width 80 Cryptochecksum:NNNNNNNNNNNNNNNNNNNNNNNNNN : end [OK] pixfirewall#

Walter Robers> > > [Reminder, I want to have the firewall route/allow to my internal FTP

You are missing,

access-group Inbound in interface outside

Walter ---

Thanks yeah I need the access-group too ... but it's still not working:

access-list Inbound permit tcp any any eq www access-list Inbound permit tcp any any eq ftp pager lines 24 mtu outside 1500 mtu inside 1500 ip address outside 75.7.239.233 255.255.255.0 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm location Canal 255.255.255.255 outside pdm location 75.7.239.233 255.255.255.255 inside pdm location 192.168.1.0 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface www 192.168.1.11 www netmask

255.255.255.255 0 0 static (inside,outside) tcp interface ftp Canal ftp netmask 255.255.255.255 0 0

: Added, still no go. access-group Inbound in interface outside route outside 0.0.0.0 0.0.0.0 75.7.239.238 1

Show Logging:

106015: Deny TCP (no connection) from 192.168.1.12/49773 to 207.115.63.79/110 flags ACK on interface inside #my internal network box

305012: Teardown dynamic TCP translation from inside:192.168.1.19/1981 to outside:75.7.239.233/4341 duration 0:00:31

710005: UDP request discarded from 192.168.1.19/631 to inside:192.168.1.255/631 302014: Teardown TCP connection 384740 for outside:63.199.111.91/22 to inside:192.168.1.12/49769 duration 0:05:27 bytes 17872 TCP Reset-O #above I'm trying to FTP from my external server into the internal server here in the office.

106015: Deny TCP (no connection) from 63.199.111.91/22 to

75.7.239.233/4288 flags RST on interface outside #OK obviously Pix is denying the FTP traffic on Port 22.

305012: Teardown dynamic TCP translation from inside:192.168.1.16/50468 to outside:75.7.239.233/4342 duration 0:00:31

106023: Deny icmp src outside:75.7.239.238 dst inside:75.7.239.233 (type 3, code 0) by access-group "Inbound" # Hmmm ... what's this? Obviously it's traffic from our gateway/router trying to get to "Inbound" but being denied.

302014: Teardown TCP connection 384819 for outside:64.202.189.148/80 to inside:192.168.1.16/50470 duration 0:00:27 bytes 21511 TCP FINs

305012: Teardown dynamic UDP translation from inside:192.168.1.12/49374 to outside:75.7.239.233/1501 duration 0:00:31 305012: Teardown dynamic TCP translation from inside:192.168.1.12/49772 to outside:75.7.239.233/4343 duration 0:00:31 #traffic from my box here on the LAN in the office.

305012: Teardown dynamic TCP translation from inside:192.168.1.16/50469 to outside:75.7.239.233/4344 duration 0:00:31

Pretty weird. Dunno why Cisco Pix is first tearing down the port 22 connection from my .91 box and then denying it. Maybe I'm just channeling Homer Simpson here.

Walter Robers> >