Policy-based-Routing for FTP

robert.rosell — Tue, 12 Mar 2019 09:38:28 GMT

HI Experts,

I'm trying to configure my ASA 5515-X (9.5(2)5) to split Business-critical traffic like SMTP, VPN, NTP on interface OUTSIDE with static IP's an Web-traffic like HTTP and FTP on interface INTERNET with dynamic IP. The default-route points to OUTSIDE.

Now i stuck on passive FTP...

The initial communication through port 21 is working. The following communication through a dynamically assigned port is blocked on OUTSIDE by any/any/deny.

I need to tell PBR dynamically to route the additional FTP-port through INTERNET. But how?

The config looks like this:

S* 0.0.0.0 0.0.0.0 [1/0] via DEUTSCHLAND_LAN, outside

route-map PBR-test permit 10
match ip address PBR-ACL
set ip next-hop 172.17.252.240
set interface INTERNET

access-list PBR-ACL extended deny ip 192.1.2.0 255.255.255.0 192.1.2.0 255.255.255.0
access-list PBR-ACL extended permit object-group DM_INLINE_SERVICE_3 object-group DM_INLINE_NETWORK_1 any4

object-group service DM_INLINE_SERVICE_3
service-object icmp
service-object tcp-udp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq ftp

object-group network DM_INLINE_NETWORK_1
network-object 192.1.2.0 255.255.255.0
network-object object net-192.1.2.0_24

Thanks for your help

Greets

Robert

topic Policy-based-Routing for FTP in Network Security

Policy-based-Routing for FTP