Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA/DMZ FTP server

I have a couple of questions.

First

When I am appling an access-list "in" to the DMZ interface, how does that work? What I mean is, from the outside int to the DMZ int that would be "in" right? Also, from the inside to the DMZ, that would be "in" also right? I am trying to write an access-list, but having some issues with the direction for whatever reason.

Second

I have a passive FTP situation.

Server (192.168.45.6) ---> DMZ int ---> outside int --- SFTP (control port: 10021) (Passive port: 34000 to 34050). Inspect is turned on for ftp.

Here are my outside and DMZ AL

DMZ

access-list 201 extended permit tcp any host 192.168.45.6 eq 10021

access-list 201 extended permit tcp any host 192.168.45.6 range 34000 34050

access-list 201 extended permit tcp host 192.168.45.6 any eq 10021

access-list 201 extended permit tcp host 192.168.45.6 any range 34000 34050

Outside

access-list 200 extended permit tcp any host XX.24.139.XX eq 10021

access-list 200 extended permit tcp any host XX.24.139.XX range 34000 34050

I think I can remove my lines from my outside int because the connection is starting from the DMZ int, but not sure if the DMZ AL is correct? Thoughts?

1 REPLY
New Member

Re: ASA/DMZ FTP server

Are you using ftp, sftp, or ftps? Control for ftp runs over port 21 and, in passive-mode, data run over semi-random ports, but all initiated from the client. sftp uses port 22 for data and control, since it's just an extension to the ssh protocol. ftps is ssl over traditional ftp and is it's own monster that I will not attempt to tackle here.

If you run ftp over a different port than 21, (it appears you are running it over 10021 here), make sure the ftp inspect is listening for connections on that port. The easiest way to do this (and it still works on version 7 and 8 of PIX/ASA) is "fixup protocol ftp 10021". Once you do that, you don't have to mess with any of these other ports as they will be read dynamically by the ftp inspection.

You don't really say if 192.168.45.6 is hosting ftp services or if it is trying to contact something on the internet that is. Let's pretend it's hosting ftp services... this is all you would need:

static (dmz,outside) XX.24.139.XX 192.168.45.6

access-list 200 permit tcp any host XX.24.139.XX eq 10021

access-group 200 in interface outside

Good luck.

202
Views
3
Helpful
1
Replies
CreatePlease to create content