Re: PIX 7.22 FTP Problem


"nk-services" <jerry@xxxxxxxxxxxxx> wrote in message
news:1177975324.503788.160670@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I just updated to PIX v7.22 code. FTP worked great before. After
update, FTP is broken on all Internet Explorer 7 clients and only
works intermittently on Internet Explorer v6.0. I have about 20 end-
users who rely on FTP. I do not do Anonymous FTP. Part of my research
led to a port speed/duplex mismatch, so I checked my HP 2524 and PIX
515. Indeed, there was a mismatch, so I corrected it. Here is my PIX
config. Thanks in advance for the help.

!
PIX Version 7.2(2)
!
hostname
domain-name
enable password xxxxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0
description This is the Outside/LOWER/PUBLIC Security Interface
nameif outside
security-level 0
ip address x.x.x.106 255.255.255.248
!
interface Ethernet1
description This is the Inside/Higher/Private Security Interface
nameif inside
security-level 100
ip address x.x.x.1 255.255.255.0
!
interface Ethernet2
description This is the DMZ/Middle Security Interface
shutdown
nameif intf2
security-level 4
no ip address
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name digitalti.net
access-list 101 extended permit tcp any host x.x.x.106 eq smtp
access-list 101 extended permit tcp any host x.x.x.106 eq 3389
access-list 101 extended permit tcp any host x.x.x.106 eq 3391
access-list 101 extended permit tcp any host x.x.x.106 eq www
access-list 101 extended permit tcp any host x.x.x.106 eq ftp
access-list 101 extended permit tcp any gt 1023 host x.x.x.106 eq ftp-
data
pager lines 24
logging trap debugging
logging asdm informational
logging host inside x.x.x.x
mtu outside 1500
mtu inside 1500
mtu intf2 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 x.x.x.108-x.x.x.109 netmask 255.255.255.248
global (outside) 1 x.x.x.107 netmask 255.255.255.248
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp x.x.x.106 smtp 192.168.1.20 smtp netmask
255.255.255.255
static (inside,outside) tcp x.x.x.106 www 192.168.1.20 www netmask
255.255.255.255
static (inside,outside) tcp x.x.x.106 3391 192.168.1.23 3391 netmask
255.255.255.255
static (inside,outside) tcp x.x.x.106 ftp 192.168.1.20 ftp netmask
255.255.255.255
static (inside,outside) tcp x.x.x.106 3389 192.168.1.20 3389 netmask
255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http x.x.x.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
telnet x.x.x.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
ssh version 1
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ftp
!
service-policy global_policy global
tftp-server inside x.x.x.23\04252007-pix.txt
prompt hostname context




Syslog output
2007-04-30 18:10:08 Local4.Info 192.168.1.1 %PIX-6-106015: Deny TCP
(no connection) from {public ip}/1230 to {public ip}/21 flags RST ACK
on interface outside
2007-04-30 18:10:08 Local4.Debug 192.168.1.1 %PIX-7-609002: Teardown
local-host outside:{public ip} duration 0:00:00


Your missing your FTP-Data static.
static (inside,outside) tcp x.x.x.106 ftp-data 192.168.1.20 ftp-data netmask
255.255.255.255


.

Relevant Pages

  • PIX 7.22 FTP Problem
    ... FTP worked great before. ... description This is the Outside/LOWER/PUBLIC Security Interface ... access-list 101 extended permit tcp any host x.x.x.106 eq smtp ...
    (comp.dcom.sys.cisco)
  • Re: PIX 7.22 FTP Problem
    ... users who rely on FTP. ... access-list 101 extended permit tcp any host x.x.x.106 eq smtp ... access-group 101 in interface outside ...
    (comp.dcom.sys.cisco)
  • Re: [fw-wiz] Fwd: Re: Firewall configuration with DMZ
    ... the pix has a DMZ interface which connects mail server and file and application server running sql. ... access-list Outside_access_in extended permit tcp any host a.b.c.148 eq www ... service-policy Accessserver interface Outside: end ...
    (Firewall-Wizards)
  • [fw-wiz] Fwd: Re: Firewall configuration with DMZ
    ... the pix has a DMZ interface which connects mail server and file and application server running sql. ... access-list Outside_access_in extended permit tcp any host a.b.c.148 eq www ... service-policy Accessserver interface Outside: end ...
    (Firewall-Wizards)
  • DMZ pix outside
    ... access-list outside_access_in extended permit tcp any host ... global 200 interface ... access-group DMZ_To_Inside in interface DMZ ...
    (comp.dcom.sys.cisco)