topic Using authentication for ftp in Network Access Control

Using authentication for ftp

tskidmore — Fri, 21 Feb 2020 18:12:07 GMT

I have a PIX 515E v6.3.3 that is currently in place and has statics and an access list on the outside interface to allow http and smtp access in to the mail & web servers.

I now have a need to allow an deveoper ftp access to the web site for posting content. Using a remote access VPN is not possible, so I want to try to use the authentication features to force the developer to authenticate to the PIX before he gets to the server- I don't want to expose the ftp server directly to every script kiddie with a port scanner.

The documentation and the support site aren't very explicit with an example, specifically the interactions between the inbound ACL and using the autentication for some services. First and foremeost I can't break the existing smtp and www "permits", or cause them to require authentication. As of yet, I haven't hooked this PIX to a tacacs or radius server, so I will use local authentication.

Does the config below accomplish the objective, or I am going at this incorrectly?

name 192.168.1.1 ftpserver

name 192.168.1.2 mailserver

static (inside, outside) ftpserver ftpserver netmask 255.255.255.255

static (inside, outside) mailserver mailserver netmask 255.255.255.255

access-list acl_out permit tcp any host mailserver eq 25

access-list acl_out permit tcp any host ftpserver eq 80

access-group acl_out in interface outside

aaa-server AuthIn protocol local

aaa authentication include ftp outside ftpserver 255.255.255.255 0 0 AuthIn

aaa authentication exclude http outside ftpserver 255.255.255.255 0 0 AuthIn

aaa authentication exclude tcp/25 outside mailserver 255.255.255.255 0 0 AuthIn

I'm not sure if the authentication excludes are needed and/or do I need to permit ftp access inbound in the acl_out access list. OR am I even on the right track with this config?

Also if this config works, what will be the process the developer uses to log in- does he first ftp to the pix public ip and authenticate locally, then use another ftp connect to the server's ip address, or does he use a proxy type syntax where both credentials are supplied at the initial login.

Your help is greatly appreciated.

Re: Using authentication for ftp

umedryk — Thu, 03 Feb 2005 14:57:28 GMT

This configuration looks fine, should work for you.

Re: Using authentication for ftp

stevep — Thu, 03 Feb 2005 17:18:58 GMT

I would suggest that the last 2 ACE listed below are not required as when a specific port is specified for traffic hitting the inside/outside interfaces only the traffic with a matching destination port is included or excluded for authentication.

Had you specified the any keyword which permits FTP, HTTP and Telnet then all 3 of these services would have required authentication against the LOCAL database.

no aaa authentication exclude http outside ftpserver 255.255.255.255 0 0 AuthIn

no aaa authentication exclude tcp/25 outside mailserver 255.255.255.255 0 0 AuthIn

As you have configured a static from inside - outside, external users will have to AND their usernames and passords.

e.g,

PIX config: username bob password cisco

FTP Server: username of garbage, password can

To access the FTP server would require the following:

username: bob@garbage

password: cisco@can

Hope this helps.

Steve.

Re: Using authentication for ftp

dbellaze — Thu, 03 Feb 2005 17:49:56 GMT

You will need a permit statement on your acl_out for the FTP server.

Daniel