General discussion


Cisco PIX 501

By Mart H ·
Being a newbie to the pix 501 I am trying to implement a rule set that allows access to ftp and denys all other protocols.

I have config'd nat and a global pool for internal and external hosts, set the relevant rules
- allow inside, outside for ftp

and then established a clean up rule
- deny ip any

The result of this blocks all traffic including ftp

I assume that the pic processes rules in order then branches when it hits an accept rule avioding the clean up rule... am I right or wrong?

can anyone suggest 'the correct' rule config to fix the problem or at least offer any explanation why the simple ruleset may not work

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by -Q-240248 In reply to Cisco PIX 501

Which direction will the FTP access be needed?

If it's internal ( I am assuming here) then you need to create a CONDUIT or an ACL for that traffic to get in AND you'll need to create a static nat mapping for the FTP server.

If you need to discuss this further, please post on my site:

Collapse -

by cw In reply to Cisco PIX 501

I assume you are using access lists. The PIX does not process Access Lists the same as a Cisco router. Your "deny IP any" statement is erroneous, since the PIX blocks by default, anything not specifically permitted. Take it out, and configure your access list like this.

Access-list 101 permit tcp host xxxx(registered address of your FTP server that is specified in your static NAT mappings)any eq FTP

That is the right way.

Hope this helps

Chris Weber CCDP

Collapse -

by cw In reply to

And be sure to apply your access-list to the outside interface.

access-group 101 in interface outside

Chris Weber CCDP

Collapse -

by Mart H In reply to

Very helpfull solved the problem..

Collapse -

by Mart H In reply to Cisco PIX 501

This question was closed by the author

Related Discussions

Related Forums