Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

FTP to a DMZ???

I have a PIX 515 running 5.3(1) with 4 DMZ ports. I have a machine off of one of the DMZ's that I want to allow only specific addresses to FTP to that machine from the Internet. Is that possible? How would I do that?

Thank you!

Susana Wraight

New Member

Re: FTP to a DMZ???

Yes you can limit access to FTP just write an access list for that IP address. That is if you have static IP's accessing the FTP server.

New Member

Re: FTP to a DMZ???

By using static & access-list & access group command.

Take the following example: is the public address used to reach the server, in your case the FTP server. is the IP address physically assigned to your FTP server, it's an private IP address.

Command #1 : static (dmz3,outside) netmask

a)Replace "dmz3" with the name of the DMZ segment where your FTP is place.

b)Replace the public IP address (in this example: with your public IP address to reach the FTP server from the Internet.

c)Replace the private IP address (in this example: with your private IP address physically assigned to your FTP server.

d) The netmask should be

Command #2: access-list acl_out permit tcp any host eq ftp

a) Replace the word "any" by the host IP address or network IP address you want to give right to access.

In case of a single host you must write "host x.y.z.a" (x to a must be replace by the real IP address.

In case of a network: write the network IP address following by the netmask (For instance: netmask identify all host between to

b) The word "acl_out" is an alias used to identify the rule. You may used any alias you want. But you must have the same name for all the access-list or access-group command linked together.

c) You may repeat the access-list command as often as necessary to configure all the access needed. With the same name as indicated before.

Command #3: access-group acl_out in interface outside

a) This command link all the access-list configure with the "acl_out" alias name to the outside interface. You must figure out, access-list is apply to the outside interface because the request (your users) come from the outside but the the filering rules are apply to the incoming packets of the outside interface.

That's it

New Member

Re: FTP to a DMZ???

THANK YOU! I appreciate your help. When I put in the commands though, it wouldn't work when I had the word "host" in there. I just simply put the address that needed access and then the public address of the server on the dmz. Will that cause trouble? This is what shows when I run the command show access-list:

access-list winn permit tcp host 206.62.x.x host 63.94.x.x eq ftp

Will that cause trouble???

Thanks again!

Susana Wraight

New Member

Re: FTP to a DMZ???

It seems OK... Now, you have only to test the rule...

Benoit Dube

CreatePlease to create content