ASA/DMZ FTP server

Answered Question

I have a couple of questions.


First

When I am appling an access-list "in" to the DMZ interface, how does that work? What I mean is, from the outside int to the DMZ int that would be "in" right? Also, from the inside to the DMZ, that would be "in" also right? I am trying to write an access-list, but having some issues with the direction for whatever reason.


Second

I have a passive FTP situation.

Server (192.168.45.6) ---> DMZ int ---> outside int --- SFTP (control port: 10021) (Passive port: 34000 to 34050). Inspect is turned on for ftp.

Here are my outside and DMZ AL


DMZ

access-list 201 extended permit tcp any host 192.168.45.6 eq 10021

access-list 201 extended permit tcp any host 192.168.45.6 range 34000 34050

access-list 201 extended permit tcp host 192.168.45.6 any eq 10021

access-list 201 extended permit tcp host 192.168.45.6 any range 34000 34050


Outside

access-list 200 extended permit tcp any host XX.24.139.XX eq 10021

access-list 200 extended permit tcp any host XX.24.139.XX range 34000 34050


I think I can remove my lines from my outside int because the connection is starting from the DMZ int, but not sure if the DMZ AL is correct? Thoughts?

Correct Answer by robertson.michael about 8 years 11 months ago

Hi Daniel,


I see that I misunderstood what you were trying to do. I was assuming that the clients would be the ones initiating the traffic--not the server.


In that case, you wouldn't need the outside ACL as the return traffic will be allowed once the original outbound connection gets built.


Also, see below for the answers to your other questions:


[Q]: If I understand you correctly, if I am sending traffic from my ftp server on my DMZ to the DMZ interface that would be in the "in" direction correct?


[A]: Yes, this is exactly right.


[Q]: So if I have my DMZ ACL "in" it's really blocking traffic coming into the interface, traversing the FW? Correct?


[A]: Yes, this is correct as well. Since there is an implicit 'deny ip any any' at the end of every ACL, applying your DMZ ACL inbound on the DMZ interface would only allow TCP/10021 and TCP/34000-34050 traffic to and from the 192.168.45.6 server. All other traffic that hits the DMZ interface would be dropped by the ASA.


[Q]: Also, if I want to restrict traffic coming into the DMZ, would I put the ACL in the "out" direction? Is that right?


[A]: Well, this would work but you will rarely see it done this way. The reason for this is that an ACL applied in the "out" direction will be one of the last things considered when deciding how to pass traffic. So, you waste processing time putting packets through all of the security checks, NAT, etc. if after all of that you just decide to drop the packet anyway. Instead, you would want to restrict traffic as it ingresses into the ASA (i.e. in the "in" direction). However, one thing to keep in mind is that the ASA will allow all traffic by default from a high security interface to a low security interface, and the ASA will deny all traffic by default from a low security interface to a high security interface. So, you won't have to restrict traffic coming into the DMZ from the outside interface, for example--this will already be denied due to the security levels. If you wanted to restrict traffic coming into the DMZ from, for example, the inside interface, then you would be better off denying it in an ACL in the "in" direction on the inside interface, rather than the "out" direction on the DMZ interface.


Does that make sense?


-Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
robertson.michael Fri, 08/15/2008 - 17:40
User Badges:
  • Silver, 250 points or more

Hi Daniel,


In response to your first question, the "in" keyword means that it will match traffic that ingressing on an interface. So, if your packet was passing from the outside interface to the DMZ interface, the packet would come "in" on the outside interface and go "out" on the DMZ interface. In other words, "in" is when the packet hits the firewall (going in to the firewall) and "out" is when the packet is leaving the firewall. Does that make sense?


In regards to your second question, are you basically trying to allow clients on the outside interface to access the server on TCP port 10021 and 34000-24050 behind the DMZ interface? If so, your outside ACL is correct, but you'll also need a translation. Something like this would work:


static (DMZ,outside) XX.24.139.XX 192.168.45.6 netmask 255.255.255.255


Assuming the DMZ interface is a higher security level than the outside interface, you can remove the DMZ ACL all together. The ASA will allow traffic to pass from a high security level to a low security level by default (no ACLs required).


Hope that helps.


-Mike

Mike,

Thank you for the fast response.


So if my server located on the DMZ is initiating the traffic, do I need to add any ACL lines?


If I understand you correctly, if I am sending traffic from my ftp server on my DMZ to the DMZ interface that would be in the "in" direction correct? So if I have my DMZ ACL "in" it's really blocking traffic coming into the interface, transvering the FW? Correct?


Also, if I want to restrict traffic coming into the DMZ, would I put the ACL in the "out" direction? Is that right?

Thanks for all the help

Correct Answer
robertson.michael Fri, 08/15/2008 - 18:40
User Badges:
  • Silver, 250 points or more

Hi Daniel,


I see that I misunderstood what you were trying to do. I was assuming that the clients would be the ones initiating the traffic--not the server.


In that case, you wouldn't need the outside ACL as the return traffic will be allowed once the original outbound connection gets built.


Also, see below for the answers to your other questions:


[Q]: If I understand you correctly, if I am sending traffic from my ftp server on my DMZ to the DMZ interface that would be in the "in" direction correct?


[A]: Yes, this is exactly right.


[Q]: So if I have my DMZ ACL "in" it's really blocking traffic coming into the interface, traversing the FW? Correct?


[A]: Yes, this is correct as well. Since there is an implicit 'deny ip any any' at the end of every ACL, applying your DMZ ACL inbound on the DMZ interface would only allow TCP/10021 and TCP/34000-34050 traffic to and from the 192.168.45.6 server. All other traffic that hits the DMZ interface would be dropped by the ASA.


[Q]: Also, if I want to restrict traffic coming into the DMZ, would I put the ACL in the "out" direction? Is that right?


[A]: Well, this would work but you will rarely see it done this way. The reason for this is that an ACL applied in the "out" direction will be one of the last things considered when deciding how to pass traffic. So, you waste processing time putting packets through all of the security checks, NAT, etc. if after all of that you just decide to drop the packet anyway. Instead, you would want to restrict traffic as it ingresses into the ASA (i.e. in the "in" direction). However, one thing to keep in mind is that the ASA will allow all traffic by default from a high security interface to a low security interface, and the ASA will deny all traffic by default from a low security interface to a high security interface. So, you won't have to restrict traffic coming into the DMZ from the outside interface, for example--this will already be denied due to the security levels. If you wanted to restrict traffic coming into the DMZ from, for example, the inside interface, then you would be better off denying it in an ACL in the "in" direction on the inside interface, rather than the "out" direction on the DMZ interface.


Does that make sense?


-Mike

Actions

This Discussion