Announcement

Collapse
No announcement yet.

PIX 515e Passive FTP Help

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • PIX 515e Passive FTP Help

    Hello Everyone,

    I need a bit of help figuring out the commands I need to use to configure our PIX 515e device. We have a financial application that has a function which uploads files to an external source through FTP. The process is performed entirely through the application and goes out on port 990 but returns on a random port in the range of 23600-23609.

    What I need to do is to configure the PIX 515e to allow outside connections back through the PIX that come from 23600-23609 to 3 specific workstations. We only have one external IP address which is identified by 142.x.x.x. The internal network is represented by 10.1.0.x.

    If anyone can help me out I am not familiar at all with these devices but it needs to be done and I can use all the help I can get.

    Below is my Show Run output.


    pixfirewall(config)# show run
    : Saved
    :
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password sUh51JfF84zKYNlu encrypted
    passwd sUh51JfF84zKYNlu encrypted
    hostname pixfirewall
    domain-name generalbank.ca
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol ftp 990
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol pptp 1723
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    object-group service CannexFTP tcp
    port-object range 23600 23609
    object-group service 72_Ports tcp
    description Port Forwards for 20099-20228
    port-object range 20099 20228
    access-list exchange permit icmp any any
    access-list exchange permit tcp any host 142.x.x.x eq https
    access-list exchange permit tcp any host 142.x.x.x eq www
    access-list exchange permit tcp any host 142.x.x.x eq ftp
    access-list exchange permit tcp any host 142.x.x.x eq domain
    access-list exchange permit udp any host 142.x.x.x eq domain
    access-list exchange permit tcp any host 142.x.x.x eq 3389
    access-list exchange permit tcp any host 142.x.x.x eq pptp
    access-list exchange permit tcp host 207.176.143.5 host 142.x.x.x eq smtp
    access-list exchange permit tcp host 204.209.44.106 host 142.x.x.x eq smtp
    access-list NO-NAT permit ip 10.1.0.0 255.255.255.0 192.168.60.0 255.255.255.0
    access-list NO-NAT permit ip 10.1.0.0 255.255.255.0 10.2.0.0 255.255.255.0
    access-list NO-NAT permit ip 10.1.0.0 255.255.255.0 10.3.0.0 255.255.255.0
    access-list IPSEC-VPN permit ip 10.1.0.0 255.255.255.0 192.168.60.0 255.255.255.0
    access-list IPSEC-VPN permit ip 10.1.0.0 255.255.255.0 10.2.0.0 255.255.255.0
    access-list l2tp permit udp host 142.x.x.x any eq 1701
    pager lines 24
    logging on
    logging timestamp
    logging console critical
    logging monitor critical
    logging trap warnings
    logging host inside 10.1.0.100
    logging host inside 10.1.0.104
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute retry 10
    ip address inside 10.1.0.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    global (outside) 1 interface
    nat (inside) 0 access-list NO-NAT
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp 142.x.x.x https 10.1.0.100 https netmask 255.255.255.255 0 0
    static (inside,outside) tcp 142.x.x.x www 10.1.0.100 www netmask 255.255.255.255 0 0
    static (inside,outside) tcp 142.x.x.x ftp 10.1.0.100 ftp netmask 255.255.255.255 0 0
    static (inside,outside) tcp 142.x.x.x 3389 10.1.0.100 3389 netmask 255.255.255.255 0 0
    static (inside,outside) tcp 142.x.x.x smtp 10.1.0.100 smtp netmask 255.255.255.255 0 0
    static (inside,outside) tcp 142.x.x.x pptp 10.1.0.100 pptp netmask 255.255.255.255 0 0
    access-group exchange in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    floodguard enable
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 10.1.0.0 255.255.255.0 inside
    ssh timeout 60
    management-access inside
    console timeout 0
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcprelay server 10.1.0.100 outside
    terminal width 80
    Cryptochecksum:cc1cba76e61c1039ebd0d74a32929c3d
    : end


    Thanks in advance.

    Brad
Working...
X