Dirty DMZ

Unanswered Question
Nov 20th, 2007

Hi,

We would like to install a secure FTP server (Filezilla) with public IP on the "DMZ". The above will be connected to a switch to the Ethernet interface of a Cisco 2621 perimeter router. The FTP server has a management console that is suggested to not be installed on the FTP server. How and where is an appropriate place to install the management program? Would connecting a Cisco 1721 router inbetween the FTP server and perimeter router work?

Any suggestions will be much appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Tue, 11/20/2007 - 16:18

I would guess the management interface if it is ethernet place it in the inside network perimeter as the main connection of tfp server will reside in dmz natted with public IP.. Im not quite sure if I understand what it means " appropriate place to install management program" but if management console is for management purposes it would be placed inside.

HTH

Jorge

saidfrh Tue, 11/20/2007 - 17:05

Jorge,

To change the management function from the FTP server to another computer we navigate in the Filezilla server options> Admin Interface Settings. The Admin Interface Settings allows

1. "Bind the admin interface to the following IP addresses:"

and

2. "IP addresses which are allowed to connect to the admin interface:"

How is it possible to direct the admin/management computer to the FTP server? How is natting done in this instance?

see attachment. Thanks.

Attachment: 
JORGE RODRIGUEZ Tue, 11/20/2007 - 17:46

It is feasable to split up your inside interface with two logical interfaces and use 802.1q trunk to internal switch, one logical interface will be for inside network and other could be a real dmz and pass the two vlans inside and dmz to inside switch, have FTP server in dmz (not outside ) and be able to static nat with public IP, in addition to still have access from inside management console station to dmz ftp server. The problem may be how much traffic would there be on ftp server dmz and inside since you are spliting inside interface and each network will not have 100 megs full dedicated bandthwith.. performance may be degradated depending on inbound/outbound traffic..

lets re-thinkg another or beter way for the requirements, what version code in pix are you running? what model 506E ?

[edit] why not have ftp server in inside network and use static nat , fw will still control inbound access through acl.

Jorge

Actions

This Discussion