When I am appling an access-list "in" to the DMZ interface, how does that work? What I mean is, from the outside int to the DMZ int that would be "in" right? Also, from the inside to the DMZ, that would be "in" also right? I am trying to write an access-list, but having some issues with the direction for whatever reason.
I have a passive FTP situation.
Server (192.168.45.6) ---> DMZ int ---> outside int --- SFTP (control port: 10021) (Passive port: 34000 to 34050). Inspect is turned on for ftp.
Here are my outside and DMZ AL
access-list 201 extended permit tcp any host 192.168.45.6 eq 10021
access-list 201 extended permit tcp any host 192.168.45.6 range 34000 34050
access-list 201 extended permit tcp host 192.168.45.6 any eq 10021
access-list 201 extended permit tcp host 192.168.45.6 any range 34000 34050
access-list 200 extended permit tcp any host XX.24.139.XX eq 10021
access-list 200 extended permit tcp any host XX.24.139.XX range 34000 34050
I think I can remove my lines from my outside int because the connection is starting from the DMZ int, but not sure if the DMZ AL is correct? Thoughts?
Are you using ftp, sftp, or ftps? Control for ftp runs over port 21 and, in passive-mode, data run over semi-random ports, but all initiated from the client. sftp uses port 22 for data and control, since it's just an extension to the ssh protocol. ftps is ssl over traditional ftp and is it's own monster that I will not attempt to tackle here.
If you run ftp over a different port than 21, (it appears you are running it over 10021 here), make sure the ftp inspect is listening for connections on that port. The easiest way to do this (and it still works on version 7 and 8 of PIX/ASA) is "fixup protocol ftp 10021". Once you do that, you don't have to mess with any of these other ports as they will be read dynamically by the ftp inspection.
You don't really say if 192.168.45.6 is hosting ftp services or if it is trying to contact something on the internet that is. Let's pretend it's hosting ftp services... this is all you would need:
static (dmz,outside) XX.24.139.XX 192.168.45.6
access-list 200 permit tcp any host XX.24.139.XX eq 10021
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :