Okay guru's
Can some one tell me if this config is correct? My ftp server
192.168.1.13 is behind the pix. Here's the lines:access-list inbound permit tcp any host 192.168.1.13 eq ftp static (inside,outside) tcp interface ftp 192.168.1.13 ftp netmask
255.255.255.255 0 0 access-group inbound in interface outsideAnything wrong here? I d/k, I can't get connect from out side. I get timed out.
No.
access-list inbound permit tcp any interface outside eq ftp
When you apply an access list to an outside interface, the source and destination fields should reflect what you would expect to see in the incoming packets, -before- any Network Address Translation (NAT) has taken place.
Thanks Walter for the quick reply,
So, I need to add this line in my config?
access-list inbound permit tcp any interface outside eq ftp
Let me give a try.
Walter Robers> > >Okay guru's
Okay that work!! What if I have another ftp server. How would I config it?
snipped-for-privacy@gmail.com wrote:
255.255.255.255 0 0Please do not "top-post": you should take the material you are replying to, trim it down to -just- the part you want to talk about, and intermix your questions or comments with the specific parts of what you are replying to. Your style of putting the answer at the top makes your postings harder to read, and anyone who replies to your posting has to manually edit your remarks to appear in context in order to produce something that resembles a sensible conversation.
You appear to be using googlegroups, so you might be thinking "but people could just scroll up if they wanted to read what was posted before". There are, though, many people who use other interfaces that do not allow them to easily see the previous conversations. In particular, few of the "old hands" (the people who are most likely to be able to answer your questions) use googlegroups as googlegroups is just too inefficient when you have hundreds of messages to read every day.
If you only have a single outside interface IP, then you cannot configure a second ftp server -- not unless you configure it to use a different port. Some ftp clients make it difficult to specify an alternate port to connect to.
To configure another ftp server with a different port on the outside PIX interface, then
static (inside,outside) tcp interface OTHERPORT SECONDHOST 21 netmask
255.255.255.255access-list inbound permit tcp any interface outside eq OTHERPORT
fixup protocol ftp 21 OTHERPORT
(Note: due to the way that ftp works, although the main connections will be to OTHERPORT, there will also be connections to the port one lower than that; those connections will automatically be allowed for by the PIX, provided that you configure the fixup. Just make sure you don't configure OTHERPORT to be immediately after something else you are using.
Thanks again, I really appreicated for the help!! Thank You!!!
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.