Cisco PIX firewall problem...

Toggle sidebar Toggle sidebar
H

hx009

Senior member
Nov 26, 1999
989
0
0
Does anyone know of a good forum where alot of Cisco people hang out? I have an issue I need resolved with a Cisco PIX 515E, and have thus far been unable to find anyone qualified to assist me with it (requires knowing the Cisco PIX IOS and network configuration/layout). Any help would be greatly appreciated.

p.s. I already tried Tek-Tips.com and thus far have gotten no good responses...
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
You could always call cisco. Their support is pretty good. The web site has just about everything you would ever want to know and do with cisco gear as well.

what's causing you trouble? nat, conduits, routing, VPN, crypto-maps, ACLs?
 
H

hx009

Senior member
Nov 26, 1999
989
0
0
Originally posted by: spidey07
You could always call cisco. Their support is pretty good. The web site has just about everything you would ever want to know and do with cisco gear as well.

what's causing you trouble? nat, conduits, routing, VPN, crypto-maps, ACLs?
Click to expand...


I have a web server inside a DMZ and an FTP server on the inside interface...and I can't get the web server to see the FTP server. My config is:

ip address outside 62.3.2.162 255.255.255.224
ip address inside 192.168.3.1 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
global (outside) 1 62.3.2.171-62.3.2.189 netmask 255.255.255.224
global (outside) 1 62.3.2.190 netmask 255.255.255.224
global (dmz) 1 192.168.2.10-192.168.2.11 netmask 255.255.255.0
global (dmz) 1 192.168.2.254 netmask 255.255.255.0
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
static (inside,dmz) 192.168.2.10 192.168.3.4 netmask 255.255.255.255 0 0
conduit permit tcp host 192.168.3.4 eq ftp any

The web server is on the DMZ at address 192.168.2.10 and the FTP server is on the inside interface at 192.168.3.4. I figured if I had setup the static route between them, and then a conduit to allow traffic on the ftp port, everything should be cool. Well, it just doesn't work.

p.s. Those are just the pertinent parts of the config anyways. I can post the whole thing if need be.
 
T

Tallgeese

Diamond Member
Feb 26, 2001
5,775
1
0
Looks like the static command is wrong.
I believe yours is incorrect since your ftp and http servers are on different machines.
static command in PIX IOS maps addresses one-to-one THROUGH the PIX, as in mapping an inside address to an outside address.

my advice:
set static command to:
static (inside,dmz) 192.168.2.x 192.168.3.4 netmask 255.255.255.255 0 0
WHERE x = available address on 192.168.2.0 subnet

change your conduit command to:
conduit permit tcp host 192.168.3.4 eq ftp host 192.168.2.10

You may want to start with a more broad command, and winnow it down from there.

KIM: Not recommended to mix ACLs and conduit commands in the same PIX config.
If planning on (or already) using ACLs, you may want to formulate your conduit statement as an ACL command instead.

HTH

EDIT: Fixed my original advice, which neglected to take into account security levels on the different interfaces...Doh!
 
H

hx009

Senior member
Nov 26, 1999
989
0
0
Originally posted by: TallGeese
Looks like the static command is wrong.
I believe yours is incorrect since your ftp and http servers are on different machines.
static command in PIX IOS does NOT set static routes like in "normal" IOS.
static command in PIX IOS maps addresses one-to-one THROUGH the PIX, as in mapping an inside address to an outside address.

my advice:
remove the static command completely
change your conduit command to:
conduit permit tcp host 192.168.3.4 eq ftp host 192.168.2.10

You may want to start with a more broad command, and winnow it down from there.
You may also need another command allowing traffic to originate in the other direction, depending on how you plan to transfer data between the two.

KIM: Not recommended to mix ACLs and conduit commands in the same PIX config.
If planning on (or already) using ACLs, you may want to formulate your conduit statement as an ACL command instead.

HTH
Click to expand...

I'll rip out the static command and modify the conduit command and see what happens when I get to work (at home right now). As far as conduit vs ACL... the entire system was setup using static/conduit vs ACLs by a professional contractor recommended through UUNet. I'm obviously nowhere near qualified enough to configure one of these from scratch, or drastically change what he already did. We just don't want to go back to him to make this one simple change because he wants some ridiculous amount like ~$200 to do it and figured we can "fudge it" ourselves, so I appreciate the help :)
 
H

hx009

Senior member
Nov 26, 1999
989
0
0
Well, I ripped out the static line and tried to do this as you said:

conduit permit tcp host 192.168.3.4 eq ftp host 192.168.2.10

No go. 192.168.2.10 (DMZ ip) could not FTP to 192.168.3.4 (inside IP). As an exercise to make sure they could communicate at all, I temporarily put an FTP server on the DMZ box and successfully FTP'd to it from inside. That tells me there's a route between them and they're perfectly capable of communicating. So I "widened" the hole and did:

conduit permit tcp host 192.168.3.4 host 192.168.2.10

And could STILL not FTP from 192.168.2.10 -> 192.168.3.4. Any other ideas? Here's my FULL config if you need to take a look at it: Link
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom