Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA/DMZ FTP server

I have a couple of questions.

First

When I am appling an access-list "in" to the DMZ interface, how does that work? What I mean is, from the outside int to the DMZ int that would be "in" right? Also, from the inside to the DMZ, that would be "in" also right? I am trying to write an access-list, but having some issues with the direction for whatever reason.

Second

I have a passive FTP situation.

Server (192.168.45.6) ---> DMZ int ---> outside int --- SFTP (control port: 10021) (Passive port: 34000 to 34050). Inspect is turned on for ftp.

Here are my outside and DMZ AL

DMZ

access-list 201 extended permit tcp any host 192.168.45.6 eq 10021

access-list 201 extended permit tcp any host 192.168.45.6 range 34000 34050

access-list 201 extended permit tcp host 192.168.45.6 any eq 10021

access-list 201 extended permit tcp host 192.168.45.6 any range 34000 34050

Outside

access-list 200 extended permit tcp any host XX.24.139.XX eq 10021

access-list 200 extended permit tcp any host XX.24.139.XX range 34000 34050

I think I can remove my lines from my outside int because the connection is starting from the DMZ int, but not sure if the DMZ AL is correct? Thoughts?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA/DMZ FTP server

Hi Daniel,

I see that I misunderstood what you were trying to do. I was assuming that the clients would be the ones initiating the traffic--not the server.

In that case, you wouldn't need the outside ACL as the return traffic will be allowed once the original outbound connection gets built.

Also, see below for the answers to your other questions:

[Q]: If I understand you correctly, if I am sending traffic from my ftp server on my DMZ to the DMZ interface that would be in the "in" direction correct?

[A]: Yes, this is exactly right.

[Q]: So if I have my DMZ ACL "in" it's really blocking traffic coming into the interface, traversing the FW? Correct?

[A]: Yes, this is correct as well. Since there is an implicit 'deny ip any any' at the end of every ACL, applying your DMZ ACL inbound on the DMZ interface would only allow TCP/10021 and TCP/34000-34050 traffic to and from the 192.168.45.6 server. All other traffic that hits the DMZ interface would be dropped by the ASA.

[Q]: Also, if I want to restrict traffic coming into the DMZ, would I put the ACL in the "out" direction? Is that right?

[A]: Well, this would work but you will rarely see it done this way. The reason for this is that an ACL applied in the "out" direction will be one of the last things considered when deciding how to pass traffic. So, you waste processing time putting packets through all of the security checks, NAT, etc. if after all of that you just decide to drop the packet anyway. Instead, you would want to restrict traffic as it ingresses into the ASA (i.e. in the "in" direction). However, one thing to keep in mind is that the ASA will allow all traffic by default from a high security interface to a low security interface, and the ASA will deny all traffic by default from a low security interface to a high security interface. So, you won't have to restrict traffic coming into the DMZ from the outside interface, for example--this will already be denied due to the security levels. If you wanted to restrict traffic coming into the DMZ from, for example, the inside interface, then you would be better off denying it in an ACL in the "in" direction on the inside interface, rather than the "out" direction on the DMZ interface.

Does that make sense?

-Mike

4 REPLIES

Re: ASA/DMZ FTP server

Hi Daniel,

In response to your first question, the "in" keyword means that it will match traffic that ingressing on an interface. So, if your packet was passing from the outside interface to the DMZ interface, the packet would come "in" on the outside interface and go "out" on the DMZ interface. In other words, "in" is when the packet hits the firewall (going in to the firewall) and "out" is when the packet is leaving the firewall. Does that make sense?

In regards to your second question, are you basically trying to allow clients on the outside interface to access the server on TCP port 10021 and 34000-24050 behind the DMZ interface? If so, your outside ACL is correct, but you'll also need a translation. Something like this would work:

static (DMZ,outside) XX.24.139.XX 192.168.45.6 netmask 255.255.255.255

Assuming the DMZ interface is a higher security level than the outside interface, you can remove the DMZ ACL all together. The ASA will allow traffic to pass from a high security level to a low security level by default (no ACLs required).

Hope that helps.

-Mike

Community Member

Re: ASA/DMZ FTP server

Mike,

Thank you for the fast response.

So if my server located on the DMZ is initiating the traffic, do I need to add any ACL lines?

If I understand you correctly, if I am sending traffic from my ftp server on my DMZ to the DMZ interface that would be in the "in" direction correct? So if I have my DMZ ACL "in" it's really blocking traffic coming into the interface, transvering the FW? Correct?

Also, if I want to restrict traffic coming into the DMZ, would I put the ACL in the "out" direction? Is that right?

Thanks for all the help

Re: ASA/DMZ FTP server

Hi Daniel,

I see that I misunderstood what you were trying to do. I was assuming that the clients would be the ones initiating the traffic--not the server.

In that case, you wouldn't need the outside ACL as the return traffic will be allowed once the original outbound connection gets built.

Also, see below for the answers to your other questions:

[Q]: If I understand you correctly, if I am sending traffic from my ftp server on my DMZ to the DMZ interface that would be in the "in" direction correct?

[A]: Yes, this is exactly right.

[Q]: So if I have my DMZ ACL "in" it's really blocking traffic coming into the interface, traversing the FW? Correct?

[A]: Yes, this is correct as well. Since there is an implicit 'deny ip any any' at the end of every ACL, applying your DMZ ACL inbound on the DMZ interface would only allow TCP/10021 and TCP/34000-34050 traffic to and from the 192.168.45.6 server. All other traffic that hits the DMZ interface would be dropped by the ASA.

[Q]: Also, if I want to restrict traffic coming into the DMZ, would I put the ACL in the "out" direction? Is that right?

[A]: Well, this would work but you will rarely see it done this way. The reason for this is that an ACL applied in the "out" direction will be one of the last things considered when deciding how to pass traffic. So, you waste processing time putting packets through all of the security checks, NAT, etc. if after all of that you just decide to drop the packet anyway. Instead, you would want to restrict traffic as it ingresses into the ASA (i.e. in the "in" direction). However, one thing to keep in mind is that the ASA will allow all traffic by default from a high security interface to a low security interface, and the ASA will deny all traffic by default from a low security interface to a high security interface. So, you won't have to restrict traffic coming into the DMZ from the outside interface, for example--this will already be denied due to the security levels. If you wanted to restrict traffic coming into the DMZ from, for example, the inside interface, then you would be better off denying it in an ACL in the "in" direction on the inside interface, rather than the "out" direction on the DMZ interface.

Does that make sense?

-Mike

Community Member

Re: ASA/DMZ FTP server

Yes it does, Thank you for taking the time to explain that to me.

597
Views
5
Helpful
4
Replies
CreatePlease to create content