12-08-2007 12:03 PM - edited 03-11-2019 04:41 AM
I need a sample DMZ config for a 515. I am placing a FTP server in my dmz running SFTP
12-08-2007 01:33 PM
Hi Elliot, were you aware of sftp not supported in pix, refer to this Q&A document for the sftp support through firewall, you may also wannt to do forum search or google Firewalls in generals and sftp support to see how others have done it as I have seen many threads on this.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a0080094874.shtml
HTH
Jorge
12-08-2007 03:06 PM
Jorge,
I the sftp not supported in all cisco security appliances, i.e. ASA
Thanks.
Raymond
12-09-2007 09:10 AM
Hi Raymond, sorry for calling Elliot! on your question on asa it is not about that but I think it is about the mechanism of sftp/ftps and ftp and how firewall handles ports and inspection and this seems to be the common denominator on sftp, doing some brief reading there seems to be two ways for ftp dat security .. the sftp and ftp over ssh, you may be able to get ftp over ssh implemented on pix but the only way to find out is by implementing it to see if it does work.. you may need to look into an ftp client that suports secure ftp.. like global scape.. here is a link , http://www.cuteftp.com/cuteftppro
forms of securre ftp
http://www.process.com/tcpip/sft.pdf
You could start with somthing like this, say we have the following :
Local FTP server in DMZ: 172.16.1.1
Public NAT for FTP server 10.20.20.20
static (dmz,outside) 10.20.20.20 172.16.1.1 netmask 255.255.255.255
access-list outside_access_in permit tcp any host 10.20.20.20 eq 21
access-list outside_access_in permit tcp any host 10.20.20.20 eq 20
access-list outside_access_in permit tcp any host 10.20.20.20 eq 22
access-group outside_access_in in interface outside
let me know how this works if suitable, and if you decide to implement you may want to turn on fw syslog or setup syslog to see the traffic in the event it fails.
HTH
Jorge
pls rate any helpful post if it helps!
12-09-2007 11:09 AM
Jorge,
I have attached my config. The public ip for the ftp server is xx.xxx.xxx.51 Here is what I added which did not work. It also shut down traffic to the inside network from the outside.
static (dmz,outside) 66.xxx.xxx.51 172.16.1.10 netmask 255.255.255.255
access-list outside_access_in permit tcp any host 172.16.1.10 eq 21 access-list outside_access_in permit tcp any host 172.16.1.10 eq 20
access-list outside_access_in permit tcp any host 172.16.1.10 eq 22
access-group outside_access_in in interface outside
Any help would be appreciated
12-09-2007 12:24 PM
Before looking at config, what type of FTP server are you using e.g. Microsoft IIS or 3rd party ftp server if 3rd what type.?
12-09-2007 12:25 PM
WS-FTP
12-09-2007 12:29 PM
They access it using this application that is web base. WS-FTP is running on the server
12-09-2007 01:48 PM
You are using outside interface IP as suppose to spare public IP I thought you had spare pub ip, did you added in your current incoming acl, as well as static nat as bellow? to be on the same page this is for ftp over SSH which Jscale supports based on docs.. as long you allow passive mode on ftp this should work.
static(dmz,outside) tcp interface 20 172.16.1.X 20 netmask 255.255.255.255
static(dmz,outside) tcp interface 21 172.16.1.X 21 netmask 255.255.255.255
static(dmz,outside) tcp interface 22 172.16.1.X 22 netmask 255.255.255.255
where X is your ftp server in DMZ subnet.
access-list incoming permit tcp any host xx.xxx.xxx.53 eq 20
access-list incoming permit tcp any host xx.xxx.xxx.53 eq 21
access-list incoming permit tcp any host xx.xxx.xxx.53 eq 22
access-group incoming in interface outside
12-09-2007 02:25 PM
Outside interface ip is xx.xxx.xxx.53
spare public ip is xx.xxx.xxx.51
xx.xxx.xxx.51 is the public address used for the ftp server in the dmz
Thanks,
Raymond
12-09-2007 03:33 PM
ok , then your above static is correct but add additional three lines to "incoming" acl
static (dmz,outside) 66.xxx.xxx.51 172.16.1.10 netmask 255.255.255.255
access-list incoming permit tcp any host xx.xxx.xxx.51 eq 20
access-list incoming permit tcp any host xx.xxx.xxx.51 eq 21
access-list incoming permit tcp any host xx.xxx.xxx.51 eq 22
access-group incoming in interface outside
also make sure the ftp server in dmz is
indeed listening on those ports,by testing
from an outside source with a telnet test as bellow example.
e.g
c:\telnet 66.xxx.xxx.51 20 ... and do the same for 21 and 22 if get black screen on each of telnet test means you are hitting the server in dmz on each of those ports.. then test ftps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide