topic basic access rule for remote servers. in Network Security

basic access rule for remote servers.

peterpark421 — Tue, 12 Mar 2019 00:59:44 GMT

on ASA 5505, I would like to allow all traffic for remote network(or servers)(harvesterFTP in a screenshot attached)

for some reason it is not working. it seems it is with implicit rule.

Could anyone give me some advice on this?

basic access rule for remote servers.

Jouni Forss — Tue, 12 Feb 2013 17:45:41 GMT

Hi,

Do you mean that you want to allow traffic to a server behind your ASA5505 from the Internet?

I can only guess that you have the ACL statements wrong somehow.

Sadly the ASDM picture doesnt tell us much since its just using names instead of actual IP address ranges.

Though the output seem abit wierd as you have on your "outside" ACL defined source address as "inside" network and the destination as the FTP server? Shouldnt the source either be "any" or the public source network from which the users are connecting to your server?

To be honest the CLI format of the configurations would be better in this case as we cant tell much from the names in the ASDM picture

We can only tell that the rules you have configured are not getting "hit" or "matched".

- Jouni

basic access rule for remote servers.

Jouni Forss — Tue, 12 Feb 2013 17:51:29 GMT

Also,

I'm not quite sure what the software version you are using. I guess it must be 8.3 or newer since it refers to the Global ACL. (I dont use much ASDM myself)

Basicly if you have configured NAT for one of your servers and want to open connections to it from the Internet you should use the Real IP address as the destination IP address in the ACL

For example

Your servers LAN IP is 192.168.10.10
Your servers Public IP is 1.2.3.4

When you create ACL rules with the 8.3 and above softwares you need to allow the traffic from "outside" to the LAN IP address of the server.

- Jouni

basic access rule for remote servers.

peterpark421 — Wed, 13 Feb 2013 14:25:31 GMT

Jouni,

Thanks a lot for your advise. Below I attached the running configuration. The thing I want to achieve here is to give remote servers(harvesterFTP) access to the internal network. Could you please take a look at the run-config and give me an advise?

:
ASA Version 8.4(4)1

!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 74.101.14.146 255.255.255.0
!
interface Vlan5
no nameif
security-level 50
ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network FTPserver1
host 64.147.106.92
object network FTPserver2
host 64.147.106.67
object network HarvesterFTP
subnet 64.147.106.0 255.255.255.0
object-group network Harvester
network-object object FTPserver1
network-object object FTPserver2
object-group network HarvesterNetwork
network-object object HarvesterFTP
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object host 64.147.106.67
network-object host 64.147.106.92
object-group network DM_INLINE_NETWORK_3
network-object host 64.147.106.67
network-object host 64.147.106.92
object-group network DM_INLINE_NETWORK_2
network-object object FTPserver1
network-object object FTPserver2
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 192.168.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_3 74.101.14.0 255.255.255.0
access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.101.14.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 192.168.0.5 68.237.161.12
dhcpd update dns both
!
dhcpd address 192.168.0.15-192.168.0.132 inside
dhcpd dns 192.168.0.5 68.237.161.12 interface inside
dhcpd update dns both interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
call-home reporting anonymous
Cryptochecksum:31db376b3dc2ff56c0c43331f6a98293
: end

basic access rule for remote servers.

Jouni Forss — Wed, 13 Feb 2013 14:40:19 GMT

Hi,

Are you saying that

You have servers on the LAN (or DMZ) that need to be reachable from the Internet
You have Public IP addresses for each of the local servers

For your servers to be reachable from the Internet you need to configure a Static NAT for each local server so that they have their own public IP address.

If the above is the case I would need following information to give you the configurations

What are the local IP addresses of the servers and what are the public IP addresses you want to configure for them?
What are the source addresses/networks for which you want to open the connections to the local servers? (object network HarvesterFTP ?)
What services (TCP/UDP) do you want to open from the Internet to those local servers?

With the above information I could give you the needed configurations.

- Jouni

basic access rule for remote servers.

peterpark421 — Wed, 13 Feb 2013 16:31:08 GMT

Harvester server is remote servers that I want to give access to our network. I don't need to configure NAT for our internal servers here.

Specifically, I want allow all FTP traffic from external servers below to be able to get in our internal network.

64.147.106.92

64.147.106.67

We are using those remote server to get certain files using FTP automatically but it stopped working since we changed the firewall.

Re: basic access rule for remote servers.

Jouni Forss — Wed, 13 Feb 2013 16:41:06 GMT

Hi,

I'm not totally sure if we are speaking with different terms or what the actual setup is here.

To clarify the situation on my part

IF your LAN hosts or servers are initiating/opening a connection to a remote network/host they either need a public IP address themselves or need to use NAT Pool or PAT translation. In your case any host on the LAN should be able to initiate connection to anywhere on the Internet
IF some remote hosts on the Internet need to initiate/open a connection to servers/hosts on your LAN/DMZ then those said servers/hosts need their own public IP address, port forward configuration or possibly some VPN setup.

So if some remote hosts from the Internet is currently attempting connection towards your network the above ASA configuration simply wont do the job. It cant work since there is no NAT configuration to make the connection initiation from the Internet possible. The existing PAT translation only works for the LAN hosts when they are initiating connection towards the Internet.

Which leads me to believe that you have had some kind of NAT configurations on your old firewall and they are not configured on the ASA firewall.

- Jouni

basic access rule for remote servers.

peterpark421 — Wed, 13 Feb 2013 21:06:12 GMT

Thank you Jouni for your advice.

It seems it did not give enough explanation for what I really trying to achieve here.

We have software installed on a computer in our network and this one connects remote FTP servers which is not ours and just commercial FTP server accessible for everyone if you have access permission to retrieve files on it.

When I tried to connect the remote ftp server from one of our computers in our network, it can successfully login but when I try "ls" command, I got errors below.

500 illegal PORT command

425 use PORT or PASV first

I talked to the company hosting this FTP servers and they say this might be with the firewall access rules and since I am looking into this. They said I will need to open FTP protocol for inbound and outbound traffic for their remote servers.

The remote servers do not need to be initiate connection first with a computer inside the network but a computer inside of our network should be able to access the remote ftp servers and retreive all data required for the software to run.

I can connect this ftp servers and do "ls" to retrieve all files from another network without any issue.

Any advice would be appreciate.

basic access rule for remote servers.

Jouni Forss — Wed, 13 Feb 2013 21:37:42 GMT

Hi,

I havent had much problems with FTP connections through the ASA

I think the FTP inspection on the ASA handles the FTP connections.

Do you have the following configuration on the ASA?

policy-map global_policy

class inspection_default

inspect ftp

I can't see any policy-map configuration in your above copy/pasted configuration?

Some thread on the Internet simply state to give "passive" command on the FTP CLI.

- Jouni

basic access rule for remote servers.

peterpark421 — Thu, 14 Feb 2013 17:27:38 GMT

Perfect. Creating inspection policy solved the issue.

basic access rule for remote servers.

Jouni Forss — Thu, 14 Feb 2013 17:29:42 GMT

Glad to hear that its working now

- Jouni