cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
718
Views
0
Helpful
10
Replies

DMZ Config

rmwhite59
Level 1
Level 1

I need a sample DMZ config for a 515. I am placing a FTP server in my dmz running SFTP

10 Replies 10

JORGE RODRIGUEZ
Level 10
Level 10

Hi Elliot, were you aware of sftp not supported in pix, refer to this Q&A document for the sftp support through firewall, you may also wannt to do forum search or google Firewalls in generals and sftp support to see how others have done it as I have seen many threads on this.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a0080094874.shtml

HTH

Jorge

Jorge Rodriguez

Jorge,

I the sftp not supported in all cisco security appliances, i.e. ASA

Thanks.

Raymond

Hi Raymond, sorry for calling Elliot! on your question on asa it is not about that but I think it is about the mechanism of sftp/ftps and ftp and how firewall handles ports and inspection and this seems to be the common denominator on sftp, doing some brief reading there seems to be two ways for ftp dat security .. the sftp and ftp over ssh, you may be able to get ftp over ssh implemented on pix but the only way to find out is by implementing it to see if it does work.. you may need to look into an ftp client that suports secure ftp.. like global scape.. here is a link , http://www.cuteftp.com/cuteftppro

forms of securre ftp

http://www.process.com/tcpip/sft.pdf

You could start with somthing like this, say we have the following :

Local FTP server in DMZ: 172.16.1.1

Public NAT for FTP server 10.20.20.20

static (dmz,outside) 10.20.20.20 172.16.1.1 netmask 255.255.255.255

access-list outside_access_in permit tcp any host 10.20.20.20 eq 21

access-list outside_access_in permit tcp any host 10.20.20.20 eq 20

access-list outside_access_in permit tcp any host 10.20.20.20 eq 22

access-group outside_access_in in interface outside

let me know how this works if suitable, and if you decide to implement you may want to turn on fw syslog or setup syslog to see the traffic in the event it fails.

HTH

Jorge

pls rate any helpful post if it helps!

Jorge Rodriguez

Jorge,

I have attached my config. The public ip for the ftp server is xx.xxx.xxx.51 Here is what I added which did not work. It also shut down traffic to the inside network from the outside.

static (dmz,outside) 66.xxx.xxx.51 172.16.1.10 netmask 255.255.255.255

access-list outside_access_in permit tcp any host 172.16.1.10 eq 21 access-list outside_access_in permit tcp any host 172.16.1.10 eq 20

access-list outside_access_in permit tcp any host 172.16.1.10 eq 22

access-group outside_access_in in interface outside

Any help would be appreciated

Before looking at config, what type of FTP server are you using e.g. Microsoft IIS or 3rd party ftp server if 3rd what type.?

Jorge Rodriguez

WS-FTP

They access it using this application that is web base. WS-FTP is running on the server

http://www.jscape.com/sftpapplet/

You are using outside interface IP as suppose to spare public IP I thought you had spare pub ip, did you added in your current incoming acl, as well as static nat as bellow? to be on the same page this is for ftp over SSH which Jscale supports based on docs.. as long you allow passive mode on ftp this should work.

static(dmz,outside) tcp interface 20 172.16.1.X 20 netmask 255.255.255.255

static(dmz,outside) tcp interface 21 172.16.1.X 21 netmask 255.255.255.255

static(dmz,outside) tcp interface 22 172.16.1.X 22 netmask 255.255.255.255

where X is your ftp server in DMZ subnet.

access-list incoming permit tcp any host xx.xxx.xxx.53 eq 20

access-list incoming permit tcp any host xx.xxx.xxx.53 eq 21

access-list incoming permit tcp any host xx.xxx.xxx.53 eq 22

access-group incoming in interface outside

Jorge Rodriguez

Outside interface ip is xx.xxx.xxx.53

spare public ip is xx.xxx.xxx.51

xx.xxx.xxx.51 is the public address used for the ftp server in the dmz

Thanks,

Raymond

ok , then your above static is correct but add additional three lines to "incoming" acl

static (dmz,outside) 66.xxx.xxx.51 172.16.1.10 netmask 255.255.255.255

access-list incoming permit tcp any host xx.xxx.xxx.51 eq 20

access-list incoming permit tcp any host xx.xxx.xxx.51 eq 21

access-list incoming permit tcp any host xx.xxx.xxx.51 eq 22

access-group incoming in interface outside

also make sure the ftp server in dmz is

indeed listening on those ports,by testing

from an outside source with a telnet test as bellow example.

e.g

c:\telnet 66.xxx.xxx.51 20 ... and do the same for 21 and 22 if get black screen on each of telnet test means you are hitting the server in dmz on each of those ports.. then test ftps.

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: