Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
555
Views
0
Helpful
4
Replies

FTP to a DMZ???

wraights
Level 1
Level 1

‎07-12-2001 07:29 AM - edited ‎03-08-2019 08:28 PM

I have a PIX 515 running 5.3(1) with 4 DMZ ports. I have a machine off of one of the DMZ's that I want to allow only specific addresses to FTP to that machine from the Internet. Is that possible? How would I do that?

Thank you!

Susana Wraight

Labels:
0 Helpful
4 Replies 4

orndorfffo
Level 1
Level 1

‎07-12-2001 07:47 AM

Yes you can limit access to FTP just write an access list for that IP address. That is if you have static IP's accessing the FTP server.

0 Helpful

bdube
Level 2
Level 2

‎07-12-2001 08:12 AM

By using static & access-list & access group command.

Take the following example: 209.165.201.3 is the public address used to reach the server, in your case the FTP server. 192.168.3.3 is the IP address physically assigned to your FTP server, it's an private IP address.

Command #1 : static (dmz3,outside) 209.165.201.3 192.168.3.3 netmask 255.255.255.255

a)Replace "dmz3" with the name of the DMZ segment where your FTP is place.

b)Replace the public IP address (in this example:209.165.201.3) with your public IP address to reach the FTP server from the Internet.

c)Replace the private IP address (in this example:192.168.3.3) with your private IP address physically assigned to your FTP server.

d) The netmask should be 255.255.255.255

Command #2: access-list acl_out permit tcp any host 209.165.201.3 eq ftp

a) Replace the word "any" by the host IP address or network IP address you want to give right to access.

In case of a single host you must write "host x.y.z.a" (x to a must be replace by the real IP address.

In case of a network: write the network IP address following by the netmask (For instance: 202.142.142.0 netmask 255.255.255.0 identify all host between 202.142.142.0 to 202.142.142.255)

b) The word "acl_out" is an alias used to identify the rule. You may used any alias you want. But you must have the same name for all the access-list or access-group command linked together.

c) You may repeat the access-list command as often as necessary to configure all the access needed. With the same name as indicated before.

Command #3: access-group acl_out in interface outside

a) This command link all the access-list configure with the "acl_out" alias name to the outside interface. You must figure out, access-list is apply to the outside interface because the request (your users) come from the outside but the the filering rules are apply to the incoming packets of the outside interface.

That's it

0 Helpful

wraights
Level 1
Level 1
In response to bdube

‎07-12-2001 09:18 AM

THANK YOU! I appreciate your help. When I put in the commands though, it wouldn't work when I had the word "host" in there. I just simply put the address that needed access and then the public address of the server on the dmz. Will that cause trouble? This is what shows when I run the command show access-list:

access-list winn permit tcp host 206.62.x.x host 63.94.x.x eq ftp

Will that cause trouble???

Thanks again!

Susana Wraight

0 Helpful

bdube
Level 2
Level 2
In response to wraights

‎07-12-2001 10:56 AM

It seems OK... Now, you have only to test the rule...

Benoit Dube

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents