It is currently Thu Jul 18, 2019 5:40 am


All times are UTC




Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: PIX 803 - FTP and VNC servers (static PAT)
PostPosted: Wed Aug 01, 2012 9:03 pm 
Offline

Joined: Tue Mar 06, 2012 8:48 am
Posts: 12
I would share my topology about PIX ASA 803 and describe the configuration about static PAT.
On the left, Xp2 is my FileZilla FTP server (TCP 21) and VNC Server (TCP 5900)
Xp2 is a VirtualBox host (Windows XP)
Network 192.168.0.128/25 is Natted on ASA for go out to internet with outside interface IP address (dynamic PAT)

On the right, on internet, Xp1 (Dynamic IP 192.168.0.129) is my FileZilla FTP client and VNC Client.
Xp1 is a VirtualBox host (Windows XP)
From this computer, I can reach the ftp service by this address: 76.10.10.1 port 21
I can also reach the VNC service by this address: 76.10.10.1 port 5999

Configuration on ISP router is very basic:

Code:
interface FastEthernet0/0
ip address 76.10.10.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 76.10.10.5 255.255.255.252
duplex auto
speed auto


Attachment:
screenshot_asa.png
screenshot_asa.png [ 76.07 KiB | Viewed 2683 times ]


When Xp1 is connected to Xp2 with FTP and VNC, I see theses connexions:

Attachment:
Capture_client_XP1.PNG
Capture_client_XP1.PNG [ 267.17 KiB | Viewed 2678 times ]


Code:
pixfirewall# sh conn
6 in use, 8 most used
TCP out 76.10.10.6:1047 in 192.168.0.129:1034 idle 0:03:05 bytes 934260 flags UIB
TCP out 76.10.10.6:1046 in 192.168.0.129:21 idle 0:03:05 bytes 442 flags UIOB
TCP out 76.10.10.6:1045 in 192.168.0.129:21 idle 0:03:06 bytes 363 flags UIOB
TCP out 76.10.10.6:1040 in 192.168.0.129:5900 idle 0:03:05 bytes 250072 flags UIOB


and theses translations:
Code:
pixfirewall# sh xlate
3 in use, 4 most used
PAT Global 76.10.10.1(21) Local 192.168.0.129(21)        <=== this is the FTP control channel
PAT Global 76.10.10.1(5999) Local 192.168.0.129(5900)   <=== here, I can see the local VNC port 5900 on my server and the global VNC port 5999 from outside
PAT Global 76.10.10.1(1032) Local 192.168.0.129(1034)   <=== this FTP data channel port is allowed by ftp inspection


Don't forget to inspect FTP on ASA, without it, ASA could not inspect control channel (TCP21) for know ports to open for data channel.

Code:
policy-map global_policy
class inspection_default
inspect icmp
[b] inspect ftp[/b]




Attachments:
Pix1.txt [2.36 KiB]
Downloaded 236 times
R2.txt [1.38 KiB]
Downloaded 221 times
R1.txt [1.13 KiB]
Downloaded 225 times

_________________
Mario
Network Admin

CCNA certified.
Cisco SNAF courses studied (Securing Networks With ASA Foundation)
Cisco CCNP route courses in April 2012.
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group

phpBB SEO