34 answers
- 1
- 2
Next
Hello,
Can you explain a little more about what you are trying to do and specify the version level of your PIX?
Can you explain a little more about what you are trying to do and specify the version level of your PIX?
Hello,
My PIX is version 6.35. My configuration is the factory setting (no additional commands). I have a fixed external IP (with Free)
I would like to
- have a PC that serves as an FTP server (the FTP server is GuildFTP installed on Win98, works well internally)
- know in general how to open a specific port or how to forward a port to a specific PC: for example, I use UltraVNC which requires port 5900 to be redirected to the IP of the server PC or some applications require a particular port to be open
- finally, know if there is a document summarizing the main programming principles of the PIX without having to go through the 600 incomprehensible and unmanageable pages of the PIX reference document
Thank you for your help,
Marc
My PIX is version 6.35. My configuration is the factory setting (no additional commands). I have a fixed external IP (with Free)
I would like to
- have a PC that serves as an FTP server (the FTP server is GuildFTP installed on Win98, works well internally)
- know in general how to open a specific port or how to forward a port to a specific PC: for example, I use UltraVNC which requires port 5900 to be redirected to the IP of the server PC or some applications require a particular port to be open
- finally, know if there is a document summarizing the main programming principles of the PIX without having to go through the 600 incomprehensible and unmanageable pages of the PIX reference document
Thank you for your help,
Marc
Hello,
There is no documentation but ready-made examples (which are hard to find).
I never took the time to document it either (my clients have all managed without it).
If you are on 6.3(5), here’s how to add a static translation (to allow access to a server from the outside):
translation for FTP (you need to specify the ports as you only have one public IP)
static (inside,outside) tcp PUBLIC_ADDRESS ftp REAL_ADDRESS ftp [netmask 255.255.255.255] [dns]
- the public address is the address you give to the machine on the outside (probably that of the PIX) or one from the network between the modem and the PIX
- the real address is the IP address of the machine on the internal network
- the first option (netmask ...) is unnecessary because the PIX will handle it by itself
- the second option (dns) allows the PIX to correct DNS responses (unnecessary in your case)
You can use the principle of this command for any other protocol (if the protocol name is unknown - as for VNC - you can use the port number)
Then you will need to open an access-list to allow communication:
access-list ACL_NAME permit tcp any host PUBLIC_ADDRESS eq ftp
- NAME is the name of the access-list, this name will be used to assign the access-list to an interface
- any => we do not know the IP address that will connect in advance
- host PUBLIC_ADDRESS => the "public" address of the server defined in the translation, or you could use another format: PUBLIC_ADDRESS MASK, but this format is clearer for a single IP
- eq ftp = the DESTINATION port must equal 21 (ftp) - there are other options like gt (greater than)
Finally, you need to apply the access-list to the interface in question:
access-group ACL_NAME in interface outside
P.S.: I assumed that the names of the interfaces were inside and outside (the usual standard), but if this is not the case you need to adjust the commands accordingly.
There you go ...
There is no documentation but ready-made examples (which are hard to find).
I never took the time to document it either (my clients have all managed without it).
If you are on 6.3(5), here’s how to add a static translation (to allow access to a server from the outside):
translation for FTP (you need to specify the ports as you only have one public IP)
static (inside,outside) tcp PUBLIC_ADDRESS ftp REAL_ADDRESS ftp [netmask 255.255.255.255] [dns]
- the public address is the address you give to the machine on the outside (probably that of the PIX) or one from the network between the modem and the PIX
- the real address is the IP address of the machine on the internal network
- the first option (netmask ...) is unnecessary because the PIX will handle it by itself
- the second option (dns) allows the PIX to correct DNS responses (unnecessary in your case)
You can use the principle of this command for any other protocol (if the protocol name is unknown - as for VNC - you can use the port number)
Then you will need to open an access-list to allow communication:
access-list ACL_NAME permit tcp any host PUBLIC_ADDRESS eq ftp
- NAME is the name of the access-list, this name will be used to assign the access-list to an interface
- any => we do not know the IP address that will connect in advance
- host PUBLIC_ADDRESS => the "public" address of the server defined in the translation, or you could use another format: PUBLIC_ADDRESS MASK, but this format is clearer for a single IP
- eq ftp = the DESTINATION port must equal 21 (ftp) - there are other options like gt (greater than)
Finally, you need to apply the access-list to the interface in question:
access-group ACL_NAME in interface outside
P.S.: I assumed that the names of the interfaces were inside and outside (the usual standard), but if this is not the case you need to adjust the commands accordingly.
There you go ...
Hello,
Thank you first of all for all this information. I had found something similar on the Cisco website, but I still can't access the FTP server (by entering ftp://PUBLIC_ADDRESS) while I can access it internally...
How can I check what is blocking? (I haven't tried for VNC, but I will try anyway)
Thank you first of all for all this information. I had found something similar on the Cisco website, but I still can't access the FTP server (by entering ftp://PUBLIC_ADDRESS) while I can access it internally...
How can I check what is blocking? (I haven't tried for VNC, but I will try anyway)
To check if the PIX is blocking, you can enter the command "show log".
Have you also done translation on the modem?
At worst, send me a private message and we will see your PIX configuration.
Have you also done translation on the modem?
At worst, send me a private message and we will see your PIX configuration.
Translation on the modem ???? sorry don't know! (it's a standard Freebox modem, without router function activation)
For my config.... below...
Thank you again!
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ACLOUT permit tcp any host 88.166.222.78 eq ftp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.9 255.255.255.255 inside
pdm location 192.168.1.19 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 88.166.222.78 ftp 192.168.1.19 ftp netmask 255.255.255.255 0 0
access-group ACLOUT in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:17ebe0bab980b4c633c90e238132bc49
: end
[OK]
For my config.... below...
Thank you again!
Building configuration...
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ACLOUT permit tcp any host 88.166.222.78 eq ftp
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.9 255.255.255.255 inside
pdm location 192.168.1.19 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 88.166.222.78 ftp 192.168.1.19 ftp netmask 255.255.255.255 0 0
access-group ACLOUT in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:17ebe0bab980b4c633c90e238132bc49
: end
[OK]
If the BOX is not in router mode, then it's all good.
However, there is an "inconsistency" in the configuration.
If the "outside" interface is in DHCP, you cannot use the same address for translation, but you need to "tell" the PIX to use its own address.
Therefore, I suggest entering the following commands in your PIX:
clear xlate ! to free up the translations
no static (inside,outside) tcp 88.166.222.78 ftp 192.168.1.19 ftp netmask 255.255.255.255 0 0 ! to delete the existing translation
static (inside,outside) tcp interface ftp 192.168.1.19 ftp ! to create the new translation
However, there is an "inconsistency" in the configuration.
If the "outside" interface is in DHCP, you cannot use the same address for translation, but you need to "tell" the PIX to use its own address.
Therefore, I suggest entering the following commands in your PIX:
clear xlate ! to free up the translations
no static (inside,outside) tcp 88.166.222.78 ftp 192.168.1.19 ftp netmask 255.255.255.255 0 0 ! to delete the existing translation
static (inside,outside) tcp interface ftp 192.168.1.19 ftp ! to create the new translation
Hello,
logg histo 50 has returned a syntax error
show static gives:
static (inside, outside) tcp interface ftp 192.168.1.19 ftp netmask 255.255.255.255 0 0
sh xlate gives:
23 in use, 250 most used
PAT Global 88.166.222.78(1034) Local 192.168.1.11(1040)
PAT Global 88.166.222.78(1055) Local 192.168.1.11(1110)
PAT Global 88.166.222.78(11831) Local 192.168.1.11(1028)
PAT Global 88.166.222.78(11829) Local 192.168.1.8(1026)
PAT Global 88.166.222.78(1744) Local 192.168.1.11(1738)
PAT Global 88.166.222.78(1756) Local 192.168.1.10(1048)
PAT Global 88.166.222.78(547) Local 192.168.1.16(752)
PAT Global 88.166.222.78(546) Local 192.168.1.16(753)
PAT Global 88.166.222.78(545) Local 192.168.1.16(754)
PAT Global 88.166.222.78(544) Local 192.168.1.16(755)
PAT Global 88.166.222.78(551) Local 192.168.1.16(747)
PAT Global 88.166.222.78(550) Local 192.168.1.16(748)
PAT Global 88.166.222.78(549) Local 192.168.1.16(750)
PAT Global 88.166.222.78(548) Local 192.168.1.16(751)
PAT Global 88.166.222.78(10755) Local 192.168.1.3(5061)
PAT Global 88.166.222.78(10754) Local 192.168.1.3(5060)
PAT Global 88.166.222.78(10756) Local 192.168.1.4(5060)
PAT Global 88.166.222.78(543) Local 192.168.1.16(756)
PAT Global 88.166.222.78(542) Local 192.168.1.16(757)
PAT Global 88.166.222.78(2851) Local 192.168.1.11(2038)
PAT Global 88.166.222.78(2852) Local 192.168.1.9(1629)
PAT Global 88.166.222.78(2816) Local 192.168.1.9(1591)
PAT Global 88.166.222.78(2846) Local 192.168.1.11(2034)
sh arp gives:
outside 88.166.222.254 0007.cb48.ffdf
inside 192.168.1.11 0019.d142.ac12
inside 192.168.1.3 0018.f802.55fa
inside 192.168.1.14 0050.ba05.d36c
inside 192.168.1.8 000e.0ca1.fb07
inside 192.168.1.9 0013.72ce.78db
inside 192.168.1.16 0013.72ce.859a
inside 192.168.1.18 0013.72ce.efd4
inside 192.168.1.7 0014.222c.89e2
inside 192.168.1.10 0019.2129.b26c
inside 192.168.1.4 0001.e38f.5900
inside 192.168.1.6 0080.778e.1cb1
inside 192.168.1.5 0800.3732.bae5
inside 192.168.1.19 0013.8f81.cd42
inside 192.168.1.13 0040.f46c.f347
sh log gives:
Syslog logging: disabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level notifications, 0 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Thank you!
logg histo 50 has returned a syntax error
show static gives:
static (inside, outside) tcp interface ftp 192.168.1.19 ftp netmask 255.255.255.255 0 0
sh xlate gives:
23 in use, 250 most used
PAT Global 88.166.222.78(1034) Local 192.168.1.11(1040)
PAT Global 88.166.222.78(1055) Local 192.168.1.11(1110)
PAT Global 88.166.222.78(11831) Local 192.168.1.11(1028)
PAT Global 88.166.222.78(11829) Local 192.168.1.8(1026)
PAT Global 88.166.222.78(1744) Local 192.168.1.11(1738)
PAT Global 88.166.222.78(1756) Local 192.168.1.10(1048)
PAT Global 88.166.222.78(547) Local 192.168.1.16(752)
PAT Global 88.166.222.78(546) Local 192.168.1.16(753)
PAT Global 88.166.222.78(545) Local 192.168.1.16(754)
PAT Global 88.166.222.78(544) Local 192.168.1.16(755)
PAT Global 88.166.222.78(551) Local 192.168.1.16(747)
PAT Global 88.166.222.78(550) Local 192.168.1.16(748)
PAT Global 88.166.222.78(549) Local 192.168.1.16(750)
PAT Global 88.166.222.78(548) Local 192.168.1.16(751)
PAT Global 88.166.222.78(10755) Local 192.168.1.3(5061)
PAT Global 88.166.222.78(10754) Local 192.168.1.3(5060)
PAT Global 88.166.222.78(10756) Local 192.168.1.4(5060)
PAT Global 88.166.222.78(543) Local 192.168.1.16(756)
PAT Global 88.166.222.78(542) Local 192.168.1.16(757)
PAT Global 88.166.222.78(2851) Local 192.168.1.11(2038)
PAT Global 88.166.222.78(2852) Local 192.168.1.9(1629)
PAT Global 88.166.222.78(2816) Local 192.168.1.9(1591)
PAT Global 88.166.222.78(2846) Local 192.168.1.11(2034)
sh arp gives:
outside 88.166.222.254 0007.cb48.ffdf
inside 192.168.1.11 0019.d142.ac12
inside 192.168.1.3 0018.f802.55fa
inside 192.168.1.14 0050.ba05.d36c
inside 192.168.1.8 000e.0ca1.fb07
inside 192.168.1.9 0013.72ce.78db
inside 192.168.1.16 0013.72ce.859a
inside 192.168.1.18 0013.72ce.efd4
inside 192.168.1.7 0014.222c.89e2
inside 192.168.1.10 0019.2129.b26c
inside 192.168.1.4 0001.e38f.5900
inside 192.168.1.6 0080.778e.1cb1
inside 192.168.1.5 0800.3732.bae5
inside 192.168.1.19 0013.8f81.cd42
inside 192.168.1.13 0040.f46c.f347
sh log gives:
Syslog logging: disabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level notifications, 0 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Thank you!
Hello,
In my previous message, I hadn't tried to connect to the FTP...
Result of firewall command: "sh xlate"
98 in use, 271 most used
PAT Global 88.166.222.78(13347) Local 192.168.1.9(3284)
PAT Global 88.166.222.78(13346) Local 192.168.1.9(3283)
PAT Global 88.166.222.78(13345) Local 192.168.1.9(3282)
PAT Global 88.166.222.78(13344) Local 192.168.1.9(3281)
PAT Global 88.166.222.78(13351) Local 192.168.1.9(3288)
PAT Global 88.166.222.78(13350) Local 192.168.1.9(3287)
PAT Global 88.166.222.78(13349) Local 192.168.1.9(3286)
PAT Global 88.166.222.78(13348) Local 192.168.1.9(3285)
PAT Global 88.166.222.78(13355) Local 192.168.1.9(3292)
PAT Global 88.166.222.78(13354) Local 192.168.1.9(3291)
PAT Global 88.166.222.78(13353) Local 192.168.1.9(3290)
PAT Global 88.166.222.78(13352) Local 192.168.1.9(3289)
PAT Global 88.166.222.78(13359) Local 192.168.1.9(3296)
PAT Global 88.166.222.78(13358) Local 192.168.1.9(3295)
PAT Global 88.166.222.78(13357) Local 192.168.1.9(3294)
PAT Global 88.166.222.78(13356) Local 192.168.1.9(3293)
PAT Global 88.166.222.78(13363) Local 192.168.1.9(3300)
PAT Global 88.166.222.78(13362) Local 192.168.1.9(3299)
PAT Global 88.166.222.78(13361) Local 192.168.1.9(3298)
PAT Global 88.166.222.78(13360) Local 192.168.1.9(3297)
PAT Global 88.166.222.78(13367) Local 192.168.1.9(3304)
PAT Global 88.166.222.78(13366) Local 192.168.1.9(3303)
PAT Global 88.166.222.78(13365) Local 192.168.1.9(3302)
PAT Global 88.166.222.78(13364) Local 192.168.1.9(3301)
PAT Global 88.166.222.78(13371) Local 192.168.1.9(3308)
PAT Global 88.166.222.78(13370) Local 192.168.1.9(3307)
PAT Global 88.166.222.78(13369) Local 192.168.1.9(3306)
PAT Global 88.166.222.78(13368) Local 192.168.1.9(3305)
PAT Global 88.166.222.78(13375) Local 192.168.1.9(3312)
PAT Global 88.166.222.78(13374) Local 192.168.1.9(3311)
PAT Global 88.166.222.78(13373) Local 192.168.1.9(3310)
PAT Global 88.166.222.78(13372) Local 192.168.1.9(3309)
PAT Global 88.166.222.78(1034) Local 192.168.1.11(1040)
PAT Global 88.166.222.78(13343) Local 192.168.1.9(3280)
PAT Global 88.166.222.78(13342) Local 192.168.1.9(3279)
PAT Global 88.166.222.78(1055) Local 192.168.1.11(1110)
PAT Global 88.166.222.78(13341) Local 192.168.1.9(3278)
PAT Global 88.166.222.78(13411) Local 192.168.1.9(3348)
PAT Global 88.166.222.78(13410) Local 192.168.1.9(3347)
PAT Global 88.166.222.78(13409) Local 192.168.1.9(3346)
PAT Global 88.166.222.78(13408) Local 192.168.1.9(3345)
PAT Global 88.166.222.78(13413) Local 192.168.1.11(4320)
PAT Global 88.166.222.78(13412) Local 192.168.1.11(4318)
PAT Global 88.166.222.78(13379) Local 192.168.1.9(3316)
PAT Global 88.166.222.78(13378) Local 192.168.1.9(3315)
PAT Global 88.166.222.78(13377) Local 192.168.1.9(3314)
PAT Global 88.166.222.78(13376) Local 192.168.1.9(3313)
PAT Global 88.166.222.78(13383) Local 192.168.1.9(3320)
PAT Global 88.166.222.78(13382) Local 192.168.1.9(3319)
PAT Global 88.166.222.78(13381) Local 192.168.1.9(3318)
PAT Global 88.166.222.78(13380) Local 192.168.1.9(3317)
PAT Global 88.166.222.78(13387) Local 192.168.1.9(3324)
PAT Global 88.166.222.78(13386) Local 192.168.1.9(3323)
PAT Global 88.166.222.78(13385) Local 192.168.1.9(3322)
PAT Global 88.166.222.78(13384) Local 192.168.1.9(3321)
PAT Global 88.166.222.78(13391) Local 192.168.1.9(3328)
PAT Global 88.166.222.78(13390) Local 192.168.1.9(3327)
PAT Global 88.166.222.78(13389) Local 192.168.1.9(3326)
PAT Global 88.166.222.78(13388) Local 192.168.1.9(3325)
PAT Global 88.166.222.78(13395) Local 192.168.1.9(3332)
PAT Global 88.166.222.78(13394) Local 192.168.1.9(3331)
PAT Global 88.166.222.78(13393) Local 192.168.1.9(3330)
PAT Global 88.166.222.78(13392) Local 192.168.1.9(3329)
PAT Global 88.166.222.78(13399) Local 192.168.1.9(3336)
PAT Global 88.166.222.78(13398) Local 192.168.1.9(3335)
PAT Global 88.166.222.78(13397) Local 192.168.1.9(3334)
PAT Global 88.166.222.78(13396) Local 192.168.1.9(3333)
PAT Global 88.166.222.78(13403) Local 192.168.1.9(3340)
PAT Global 88.166.222.78(13402) Local 192.168.1.9(3339)
PAT Global 88.166.222.78(13401) Local 192.168.1.9(3338)
PAT Global 88.166.222.78(13400) Local 192.168.1.9(3337)
PAT Global 88.166.222.78(13407) Local 192.168.1.9(3344)
PAT Global 88.166.222.78(13406) Local 192.168.1.9(3343)
PAT Global 88.166.222.78(13405) Local 192.168.1.9(3342)
PAT Global 88.166.222.78(13404) Local 192.168.1.9(3341)
PAT Global 88.166.222.78(1756) Local 192.168.1.10(1048)
PAT Global 88.166.222.78(12452) Local 192.168.1.9(1145)
PAT Global 88.166.222.78(10755) Local 192.168.1.3(5061)
PAT Global 88.166.222.78(10754) Local 192.168.1.3(5060)
PAT Global 88.166.222.78(10756) Local 192.168.1.4(5060)
PAT Global 88.166.222.78(13169) Local 192.168.1.9(3152)
PAT Global 88.166.222.78(13239) Local 192.168.1.11(4296)
PAT Global 88.166.222.78(13240) Local 192.168.1.11(4297)
PAT Global 88.166.222.78(13247) Local 192.168.1.11(4304)
PAT Global 88.166.222.78(13245) Local 192.168.1.11(4302)
PAT Global 88.166.222.78(13244) Local 192.168.1.11(4301)
PAT Global 88.166.222.78(13298) Local 192.168.1.9(3235)
PAT Global 88.166.222.78(13301) Local 192.168.1.9(3238)
PAT Global 88.166.222.78(13250) Local 192.168.1.11(4307)
PAT Global 88.166.222.78(13249) Local 192.168.1.11(4306)
PAT Global 88.166.222.78(13248) Local 192.168.1.11(4305)
PAT Global 88.166.222.78(13255) Local 192.168.1.11(4312)
PAT Global 88.166.222.78(13252) Local 192.168.1.11(4309)
PAT Global 88.166.222.78(13258) Local 192.168.1.9(3199)
PAT Global 88.166.222.78(13262) Local 192.168.1.9(3200)
PAT Global 88.166.222.78(13260) Local 192.168.1.11(4316)
PAT Global 88.166.222.78(13265) Local 192.168.1.9(3201)
PAT Global 88.166.222.78(13274) Local 192.168.1.9(3211)
Result of firewall command: "sh arp"
outside 88.166.222.254 0007.cb48.ffdf
inside 192.168.1.11 0019.d142.ac12
inside 192.168.1.18 0013.72ce.efd4
inside 192.168.1.10 0019.2129.b26c
inside 192.168.1.8 000e.0ca1.fb07
inside 192.168.1.3 0018.f802.55fa
inside 192.168.1.15 0013.72ce.8363
inside 192.168.1.13 0040.f46c.f347
inside 192.168.1.14 0050.ba05.d36c
inside 192.168.1.9 0013.72ce.78db
inside 192.168.1.19 0013.8f81.cd42
inside 192.168.1.7 0014.222c.89e2
inside 192.168.1.6 0080.778e.1cb1
inside 192.168.1.4 0001.e38f.5900
inside 192.168.1.5 0800.3732.bae5
Result of firewall command: "sh log"
Syslog logging: disabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level notifications, 0 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
In my previous message, I hadn't tried to connect to the FTP...
Result of firewall command: "sh xlate"
98 in use, 271 most used
PAT Global 88.166.222.78(13347) Local 192.168.1.9(3284)
PAT Global 88.166.222.78(13346) Local 192.168.1.9(3283)
PAT Global 88.166.222.78(13345) Local 192.168.1.9(3282)
PAT Global 88.166.222.78(13344) Local 192.168.1.9(3281)
PAT Global 88.166.222.78(13351) Local 192.168.1.9(3288)
PAT Global 88.166.222.78(13350) Local 192.168.1.9(3287)
PAT Global 88.166.222.78(13349) Local 192.168.1.9(3286)
PAT Global 88.166.222.78(13348) Local 192.168.1.9(3285)
PAT Global 88.166.222.78(13355) Local 192.168.1.9(3292)
PAT Global 88.166.222.78(13354) Local 192.168.1.9(3291)
PAT Global 88.166.222.78(13353) Local 192.168.1.9(3290)
PAT Global 88.166.222.78(13352) Local 192.168.1.9(3289)
PAT Global 88.166.222.78(13359) Local 192.168.1.9(3296)
PAT Global 88.166.222.78(13358) Local 192.168.1.9(3295)
PAT Global 88.166.222.78(13357) Local 192.168.1.9(3294)
PAT Global 88.166.222.78(13356) Local 192.168.1.9(3293)
PAT Global 88.166.222.78(13363) Local 192.168.1.9(3300)
PAT Global 88.166.222.78(13362) Local 192.168.1.9(3299)
PAT Global 88.166.222.78(13361) Local 192.168.1.9(3298)
PAT Global 88.166.222.78(13360) Local 192.168.1.9(3297)
PAT Global 88.166.222.78(13367) Local 192.168.1.9(3304)
PAT Global 88.166.222.78(13366) Local 192.168.1.9(3303)
PAT Global 88.166.222.78(13365) Local 192.168.1.9(3302)
PAT Global 88.166.222.78(13364) Local 192.168.1.9(3301)
PAT Global 88.166.222.78(13371) Local 192.168.1.9(3308)
PAT Global 88.166.222.78(13370) Local 192.168.1.9(3307)
PAT Global 88.166.222.78(13369) Local 192.168.1.9(3306)
PAT Global 88.166.222.78(13368) Local 192.168.1.9(3305)
PAT Global 88.166.222.78(13375) Local 192.168.1.9(3312)
PAT Global 88.166.222.78(13374) Local 192.168.1.9(3311)
PAT Global 88.166.222.78(13373) Local 192.168.1.9(3310)
PAT Global 88.166.222.78(13372) Local 192.168.1.9(3309)
PAT Global 88.166.222.78(1034) Local 192.168.1.11(1040)
PAT Global 88.166.222.78(13343) Local 192.168.1.9(3280)
PAT Global 88.166.222.78(13342) Local 192.168.1.9(3279)
PAT Global 88.166.222.78(1055) Local 192.168.1.11(1110)
PAT Global 88.166.222.78(13341) Local 192.168.1.9(3278)
PAT Global 88.166.222.78(13411) Local 192.168.1.9(3348)
PAT Global 88.166.222.78(13410) Local 192.168.1.9(3347)
PAT Global 88.166.222.78(13409) Local 192.168.1.9(3346)
PAT Global 88.166.222.78(13408) Local 192.168.1.9(3345)
PAT Global 88.166.222.78(13413) Local 192.168.1.11(4320)
PAT Global 88.166.222.78(13412) Local 192.168.1.11(4318)
PAT Global 88.166.222.78(13379) Local 192.168.1.9(3316)
PAT Global 88.166.222.78(13378) Local 192.168.1.9(3315)
PAT Global 88.166.222.78(13377) Local 192.168.1.9(3314)
PAT Global 88.166.222.78(13376) Local 192.168.1.9(3313)
PAT Global 88.166.222.78(13383) Local 192.168.1.9(3320)
PAT Global 88.166.222.78(13382) Local 192.168.1.9(3319)
PAT Global 88.166.222.78(13381) Local 192.168.1.9(3318)
PAT Global 88.166.222.78(13380) Local 192.168.1.9(3317)
PAT Global 88.166.222.78(13387) Local 192.168.1.9(3324)
PAT Global 88.166.222.78(13386) Local 192.168.1.9(3323)
PAT Global 88.166.222.78(13385) Local 192.168.1.9(3322)
PAT Global 88.166.222.78(13384) Local 192.168.1.9(3321)
PAT Global 88.166.222.78(13391) Local 192.168.1.9(3328)
PAT Global 88.166.222.78(13390) Local 192.168.1.9(3327)
PAT Global 88.166.222.78(13389) Local 192.168.1.9(3326)
PAT Global 88.166.222.78(13388) Local 192.168.1.9(3325)
PAT Global 88.166.222.78(13395) Local 192.168.1.9(3332)
PAT Global 88.166.222.78(13394) Local 192.168.1.9(3331)
PAT Global 88.166.222.78(13393) Local 192.168.1.9(3330)
PAT Global 88.166.222.78(13392) Local 192.168.1.9(3329)
PAT Global 88.166.222.78(13399) Local 192.168.1.9(3336)
PAT Global 88.166.222.78(13398) Local 192.168.1.9(3335)
PAT Global 88.166.222.78(13397) Local 192.168.1.9(3334)
PAT Global 88.166.222.78(13396) Local 192.168.1.9(3333)
PAT Global 88.166.222.78(13403) Local 192.168.1.9(3340)
PAT Global 88.166.222.78(13402) Local 192.168.1.9(3339)
PAT Global 88.166.222.78(13401) Local 192.168.1.9(3338)
PAT Global 88.166.222.78(13400) Local 192.168.1.9(3337)
PAT Global 88.166.222.78(13407) Local 192.168.1.9(3344)
PAT Global 88.166.222.78(13406) Local 192.168.1.9(3343)
PAT Global 88.166.222.78(13405) Local 192.168.1.9(3342)
PAT Global 88.166.222.78(13404) Local 192.168.1.9(3341)
PAT Global 88.166.222.78(1756) Local 192.168.1.10(1048)
PAT Global 88.166.222.78(12452) Local 192.168.1.9(1145)
PAT Global 88.166.222.78(10755) Local 192.168.1.3(5061)
PAT Global 88.166.222.78(10754) Local 192.168.1.3(5060)
PAT Global 88.166.222.78(10756) Local 192.168.1.4(5060)
PAT Global 88.166.222.78(13169) Local 192.168.1.9(3152)
PAT Global 88.166.222.78(13239) Local 192.168.1.11(4296)
PAT Global 88.166.222.78(13240) Local 192.168.1.11(4297)
PAT Global 88.166.222.78(13247) Local 192.168.1.11(4304)
PAT Global 88.166.222.78(13245) Local 192.168.1.11(4302)
PAT Global 88.166.222.78(13244) Local 192.168.1.11(4301)
PAT Global 88.166.222.78(13298) Local 192.168.1.9(3235)
PAT Global 88.166.222.78(13301) Local 192.168.1.9(3238)
PAT Global 88.166.222.78(13250) Local 192.168.1.11(4307)
PAT Global 88.166.222.78(13249) Local 192.168.1.11(4306)
PAT Global 88.166.222.78(13248) Local 192.168.1.11(4305)
PAT Global 88.166.222.78(13255) Local 192.168.1.11(4312)
PAT Global 88.166.222.78(13252) Local 192.168.1.11(4309)
PAT Global 88.166.222.78(13258) Local 192.168.1.9(3199)
PAT Global 88.166.222.78(13262) Local 192.168.1.9(3200)
PAT Global 88.166.222.78(13260) Local 192.168.1.11(4316)
PAT Global 88.166.222.78(13265) Local 192.168.1.9(3201)
PAT Global 88.166.222.78(13274) Local 192.168.1.9(3211)
Result of firewall command: "sh arp"
outside 88.166.222.254 0007.cb48.ffdf
inside 192.168.1.11 0019.d142.ac12
inside 192.168.1.18 0013.72ce.efd4
inside 192.168.1.10 0019.2129.b26c
inside 192.168.1.8 000e.0ca1.fb07
inside 192.168.1.3 0018.f802.55fa
inside 192.168.1.15 0013.72ce.8363
inside 192.168.1.13 0040.f46c.f347
inside 192.168.1.14 0050.ba05.d36c
inside 192.168.1.9 0013.72ce.78db
inside 192.168.1.19 0013.8f81.cd42
inside 192.168.1.7 0014.222c.89e2
inside 192.168.1.6 0080.778e.1cb1
inside 192.168.1.4 0001.e38f.5900
inside 192.168.1.5 0800.3732.bae5
Result of firewall command: "sh log"
Syslog logging: disabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level notifications, 0 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Hello,
In the translations, we don't see the translation "FTP," which is not normal.
Can you specify from where to where you are trying the FTP connection?
For the log, I no longer have the exact command in mind, but basically, you need to enable log history (by typing logg <ENTER> the PIX will give you the syntax.
In the translations, we don't see the translation "FTP," which is not normal.
Can you specify from where to where you are trying the FTP connection?
For the log, I no longer have the exact command in mind, but basically, you need to enable log history (by typing logg <ENTER> the PIX will give you the syntax.
Hello,
Actually, I'm typing ftp://88.166.222.78 under Explorer from another workstation on the network. (If I type ftp://192.168.1.19 I can access the FTP server without any problem). Sorry, it might be a basic mistake but I don't know much about it....
Actually, I'm typing ftp://88.166.222.78 under Explorer from another workstation on the network. (If I type ftp://192.168.1.19 I can access the FTP server without any problem). Sorry, it might be a basic mistake but I don't know much about it....
To test the translation, it would be necessary to test from a machine "outside" your network.
For example, from my PC...
When I run the test, it seems to work (I get a login request).
If you do a sh xlate, you might see the translation for the server.
For example, from my PC...
When I run the test, it seems to work (I get a login request).
If you do a sh xlate, you might see the translation for the server.
Pour ouvrir un port et le rediriger vers une machine interne, comme le port 5900 pour UltraVNC, voici les étapes générales que vous devez suivre :
1. Accédez à l'interface de votre routeur.
2. Cherchez la section "Port Forwarding" ou "Virtual Server".
3. Ajoutez une nouvelle règle de redirection :
- **Port externe** : 5900
- **Adresse IP interne** : l'adresse IP de la machine sur laquelle UltraVNC est installé.
- **Port interne** : 5900
- **Protocole** : TCP (ou TCP/UDP selon les besoins).
4. Enregistrez les modifications.
5. Assurez-vous que le pare-feu de la machine interne autorise les connexions sur le port 5900.
6. Testez la connexion depuis l'extérieur.
Cette méthode peut légèrement varier selon le modèle de votre routeur.
1. Accédez à l'interface de votre routeur.
2. Cherchez la section "Port Forwarding" ou "Virtual Server".
3. Ajoutez une nouvelle règle de redirection :
- **Port externe** : 5900
- **Adresse IP interne** : l'adresse IP de la machine sur laquelle UltraVNC est installé.
- **Port interne** : 5900
- **Protocole** : TCP (ou TCP/UDP selon les besoins).
4. Enregistrez les modifications.
5. Assurez-vous que le pare-feu de la machine interne autorise les connexions sur le port 5900.
6. Testez la connexion depuis l'extérieur.
Cette méthode peut légèrement varier selon le modèle de votre routeur.
You cannot query a local machine with a "NATted" address through a PIX (this is an anomaly for it).
To fully test, I suggest you send me (in a private message) an account that you will then close.
Now, if you want to open other ports, you enter static commands with the ports.
Example to add a Web service AND a VNC on port TCP/5900:
static (inside,outside) tcp interface 80 192.168.1.19 80
static (inside,outside) tcp interface 5900 192.168.1.19 5900
And so on for any additional service.
To fully test, I suggest you send me (in a private message) an account that you will then close.
Now, if you want to open other ports, you enter static commands with the ports.
Example to add a Web service AND a VNC on port TCP/5900:
static (inside,outside) tcp interface 80 192.168.1.19 80
static (inside,outside) tcp interface 5900 192.168.1.19 5900
And so on for any additional service.
- 1
- 2
Next