GNS3
http://forum.gns3.net/

PIX 803 - FTP and VNC servers (static PAT)
http://forum.gns3.net/topic5195.html
Page 1 of 1

Author:  mario62223 [ Wed Aug 01, 2012 9:03 pm ]
Post subject:  PIX 803 - FTP and VNC servers (static PAT)

I would share my topology about PIX ASA 803 and describe the configuration about static PAT.
On the left, Xp2 is my FileZilla FTP server (TCP 21) and VNC Server (TCP 5900)
Xp2 is a VirtualBox host (Windows XP)
Network 192.168.0.128/25 is Natted on ASA for go out to internet with outside interface IP address (dynamic PAT)

On the right, on internet, Xp1 (Dynamic IP 192.168.0.129) is my FileZilla FTP client and VNC Client.
Xp1 is a VirtualBox host (Windows XP)
From this computer, I can reach the ftp service by this address: 76.10.10.1 port 21
I can also reach the VNC service by this address: 76.10.10.1 port 5999

Configuration on ISP router is very basic:

Code:
interface FastEthernet0/0
ip address 76.10.10.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 76.10.10.5 255.255.255.252
duplex auto
speed auto


Attachment:
screenshot_asa.png
screenshot_asa.png [ 76.07 KiB | Viewed 2749 times ]


When Xp1 is connected to Xp2 with FTP and VNC, I see theses connexions:

Attachment:
Capture_client_XP1.PNG
Capture_client_XP1.PNG [ 267.17 KiB | Viewed 2744 times ]


Code:
pixfirewall# sh conn
6 in use, 8 most used
TCP out 76.10.10.6:1047 in 192.168.0.129:1034 idle 0:03:05 bytes 934260 flags UIB
TCP out 76.10.10.6:1046 in 192.168.0.129:21 idle 0:03:05 bytes 442 flags UIOB
TCP out 76.10.10.6:1045 in 192.168.0.129:21 idle 0:03:06 bytes 363 flags UIOB
TCP out 76.10.10.6:1040 in 192.168.0.129:5900 idle 0:03:05 bytes 250072 flags UIOB


and theses translations:
Code:
pixfirewall# sh xlate
3 in use, 4 most used
PAT Global 76.10.10.1(21) Local 192.168.0.129(21)        <=== this is the FTP control channel
PAT Global 76.10.10.1(5999) Local 192.168.0.129(5900)   <=== here, I can see the local VNC port 5900 on my server and the global VNC port 5999 from outside
PAT Global 76.10.10.1(1032) Local 192.168.0.129(1034)   <=== this FTP data channel port is allowed by ftp inspection


Don't forget to inspect FTP on ASA, without it, ASA could not inspect control channel (TCP21) for know ports to open for data channel.

Code:
policy-map global_policy
class inspection_default
inspect icmp
[b] inspect ftp[/b]


Attachments:
Pix1.txt [2.36 KiB]
Downloaded 272 times
R2.txt [1.38 KiB]
Downloaded 257 times
R1.txt [1.13 KiB]
Downloaded 259 times

Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/