cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
327
Views
3
Helpful
1
Replies

ASA/DMZ FTP server

dvanzee
Level 2
Level 2

I have a couple of questions.

First

When I am appling an access-list "in" to the DMZ interface, how does that work? What I mean is, from the outside int to the DMZ int that would be "in" right? Also, from the inside to the DMZ, that would be "in" also right? I am trying to write an access-list, but having some issues with the direction for whatever reason.

Second

I have a passive FTP situation.

Server (192.168.45.6) ---> DMZ int ---> outside int --- SFTP (control port: 10021) (Passive port: 34000 to 34050). Inspect is turned on for ftp.

Here are my outside and DMZ AL

DMZ

access-list 201 extended permit tcp any host 192.168.45.6 eq 10021

access-list 201 extended permit tcp any host 192.168.45.6 range 34000 34050

access-list 201 extended permit tcp host 192.168.45.6 any eq 10021

access-list 201 extended permit tcp host 192.168.45.6 any range 34000 34050

Outside

access-list 200 extended permit tcp any host XX.24.139.XX eq 10021

access-list 200 extended permit tcp any host XX.24.139.XX range 34000 34050

I think I can remove my lines from my outside int because the connection is starting from the DMZ int, but not sure if the DMZ AL is correct? Thoughts?

1 Reply 1

m.glosson
Level 1
Level 1

Are you using ftp, sftp, or ftps? Control for ftp runs over port 21 and, in passive-mode, data run over semi-random ports, but all initiated from the client. sftp uses port 22 for data and control, since it's just an extension to the ssh protocol. ftps is ssl over traditional ftp and is it's own monster that I will not attempt to tackle here.

If you run ftp over a different port than 21, (it appears you are running it over 10021 here), make sure the ftp inspect is listening for connections on that port. The easiest way to do this (and it still works on version 7 and 8 of PIX/ASA) is "fixup protocol ftp 10021". Once you do that, you don't have to mess with any of these other ports as they will be read dynamically by the ftp inspection.

You don't really say if 192.168.45.6 is hosting ftp services or if it is trying to contact something on the internet that is. Let's pretend it's hosting ftp services... this is all you would need:

static (dmz,outside) XX.24.139.XX 192.168.45.6

access-list 200 permit tcp any host XX.24.139.XX eq 10021

access-group 200 in interface outside

Good luck.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: