topic Re: ftp in dmz in Network Security

ftp in dmz

rhltechie — Mon, 11 Mar 2019 09:15:49 GMT

Hi All,

I am fairly certain this is something that happens all the time and a very easy thing to do for most. I have never set up a dmz and am not the best at pix. I have an asa 5510 and I am trying to setup a ftp server in the dmz that i can reach from inside and outside. I have done the following:

access-list outside_access_in extended permit tcp any host <public ip> eq ftp

access-list DMZ1_access_in extended permit tcp host 192.168.60.15 192.168.9.0 255.255.255.0 eq ftp

global (outside) 1 interface

nat (outside) 0 access-list outside_nat0_inbound outside

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (DMZ1,outside) <public ip> 192.168.60.10 netmask 255.255.255.255

static (DMZ1,inside) 192.168.60.10 192.168.60.10 netmask 255.255.255.255

static (DMZ1,inside) 192.168.60.15 192.168.60.15 netmask 255.255.255.255

static (DMZ1,outside) <public ip> 192.168.60.15 netmask 255.255.255.255

static (inside,DMZ1) 192.168.9.0 192.168.9.0 netmask 255.255.255.0

access-group outside_access_in in interface outside

access-group DMZ1_access_in in interface DMZ1

The ftp host private ip in the dmz is 192.168.60.15. Private hosts inside reside on 192.168.9.0. I have also allowed port 3389 to this server for testing, and this works fine.

When I view the live log, I do not see any errors, just the following when i attempt a connection from the inside:

6|Jan 05 2007 09:53:39|302014: Teardown TCP connection 67046549 for DMZ1:192.168.60.15/21 to inside:192.168.9.75/1420 duration 0:00:30 bytes 0 SYN Timeout

6|Jan 05 2007 09:53:30|302013: Built outbound TCP connection 67046634 for DMZ1:192.168.60.15/21 (192.168.60.15/21) to inside:192.168.9.75/1421 (192.168.9.75/1421)

6|Jan 05 2007 09:53:08|302013: Built outbound TCP connection 67046549 for DMZ1:192.168.60.15/21 (192.168.60.15/21) to inside:192.168.9.75/1420 (192.168.9.75/1420)

6|Jan 05 2007 09:53:08|302014: Teardown TCP connection 67046336 for DMZ1:192.168.60.15/21 to inside:192.168.9.75/1419 duration 0:00:30 bytes 0 SYN Timeout

Can someone please help?

TIA,

Re: ftp in dmz

Collin Clark — Fri, 05 Jan 2007 14:44:16 GMT

Do you have an ACL on your inside interface? Please post it. The DMZ1_access_in ACL is applied to the DMZ interface inbound to the ASA. That means you're allowing 192.168.60.15 to FTP to the internal network! I'm betting the inside ACL is blocking FTP to the DMZ.

Re: ftp in dmz

rhltechie — Fri, 05 Jan 2007 14:50:25 GMT

thank you for your reply. the only other acl i have applied is :

access-group outside_access_in in interface outside

Re: ftp in dmz

Collin Clark — Fri, 05 Jan 2007 16:57:56 GMT

Are you running FTP in passive mode? Try entering:

'fixup protocol ftp'

Re: ftp in dmz

jwalker — Fri, 05 Jan 2007 16:59:13 GMT

First off, these two commands are unnecessary..

static (DMZ1,inside) 192.168.60.10 192.168.60.10 netmask 255.255.255.255

static (DMZ1,inside) 192.168.60.15 192.168.60.15 netmask 255.255.255.255

Second, if you have an access list on your inside interface, you need to allow traffic from the inside to the FTP server. If you do not do any egress filtering, then you should be able to hit the DMZ FTP server. Oh one other thing.. make sure you have the appropriate nat/global or static to allow the internal traffic to access the DMZ network.

Pls rate if this helps.

Cheers.

Re: ftp in dmz

rhltechie — Fri, 05 Jan 2007 17:05:50 GMT

my understanding is that on the asa, ver 7.0 you no longer used the fixup command. that it was replaced with the following:

policy-map global_policy

class inspection_default

inspect ftp

is this wrong?

jwalker, can you please give me an example of the correct global/nat or static as i do not have egress filtering. i thought i understood this, but apparently i do not!

TIA,

Re: ftp in dmz

Collin Clark — Fri, 05 Jan 2007 17:41:11 GMT

The fixup command creates the policy for you. Your static for inside users going to DMZ is correct and you are not doing any egress filtering (ie an ACL applied to the inside interface).

Re: ftp in dmz

rhltechie — Fri, 05 Jan 2007 17:58:16 GMT

thank you for your reply but the fixup protcol made no difference for me.

Re: ftp in dmz

Collin Clark — Fri, 05 Jan 2007 20:17:12 GMT

Can you post a complete (but sanitized) config?

Re: ftp in dmz

jwalker — Fri, 05 Jan 2007 20:45:02 GMT

not sure what your internal ranges are so to make a static but for a nat/global you would need..

global (dmz) 1 interface

here is a static example though that translates an inside range to itself on the dmz

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

Re: ftp in dmz

rhltechie — Fri, 05 Jan 2007 21:35:20 GMT

here ya go!

Re: ftp in dmz

5220 — Sat, 06 Jan 2007 20:46:31 GMT

Hi,

Try the command: ftp mode active

You should also take this one baby step at a time, allowing ip any any. Then try ping, if this works, then is a protocol/server issue (the command above might solve it).

Please rate if this helped.

Regards,

Daniel

Re: ftp in dmz

rhltechie — Mon, 08 Jan 2007 13:32:51 GMT

I tried returning to ftp active mode, with no success. I allowed ping through and i can indeed ping the server. I am unsure of what else this could be. i know the service is running as I can ftp to the localhost if i am on the localhost. any other ideas?

thanks

Re: ftp in dmz

rhltechie — Mon, 08 Jan 2007 13:45:47 GMT

Ok guys, I figured it out. I feel like such an idiot!! I had the ftp server on an XP machine, and guess what was on...yes, the xp firewall.

thanks for all the help.

Re: ftp in dmz

5220 — Tue, 09 Jan 2007 18:43:57 GMT

:)))))

No worries, it's good now it works.

Cheers,

Daniel