I have a PIX 501 that I am trying to get configured to use PAT on a single outside IP address that is DHCP assigned, but allows for inbound connections (i.e. www, ftp, dns, etc.). It is running PIX OS 6.1(1). I have it configured as follows:
PIX Version 6.1(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 fixup protocol ftp 21 access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable access-list 100 permit tcp any host 1.2.3.4 eq ftp access-list 100 permit tcp any host 1.2.3.4 eq ftp-data access-list 100 permit tcp any host 1.2.3.4 eq 8080 access-list 100 permit udp any host 1.2.3.4 eq domain ip address outside dhcp setroute ip address inside 10.1.1.2 255.255.255.0 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp 1.2.3.4 ftp 10.1.1.1 ftp netmask 255.255.255.255 0 0 static (inside,outside) tcp 1.2.3.4 ftp-data 10.1.1.1 ftp-data netmask 255.255.255.255 0 0 static (inside,outside) tcp 1.2.3.4 8080 10.1.1.1 www netmask 255.255.255.255 0 0 static (inside,outside) udp 1.2.3.4 domain 10.1.1.1 domain netmask 255.255.255.255 0 0 access-group 100 in interface outside Here is my problem. FTP only works if the FTP client is running on PASV mode. If I disable fixup protocol ftp 21, inbound FTP clients can work without PASV, but then outbound clients don't. If I enable fixup protocol ftp 21, then outbound works fine, but inbound doesn't. As a side note question, does anyone know if an ACL/conduit for ftp-data is required? I have always been taught that it was for FTP communication to function properly, but was wondering what some of the folks on the list thought. Anyone have any ideas? TIA Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS Senior QA Rep. BMC Software, Inc. (713) 918-2412 [EMAIL PROTECTED] http://www.bmc.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
