topic ftp traffic from dmz to outside in Network Security

ftp traffic from dmz to outside

apptionadmin — Tue, 12 Mar 2019 00:33:55 GMT

Hi,

I am able to ftp from my Head Office to my test machine at the remote location but I can't get the other way around to work.

Error message from the Syslog

deny tcp src 192.168.50.5/1825 dst 208.124.202.44/21 by access-group "dmz_access_in"

I try a couple of ways to fix it but no luck.

l would appreciate some help.

A partial config of my ASA 5505

access-list outside1_cryptomap extended permit ip object LAN object HeadOffice-VLAN3 
access-list inside_access_in extended permit ip interface inside interface outside1 
access-list inside_access_in extended permit icmp any any 
access-list outside1_access_in extended permit ip any interface outside1 
access-list outside1_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 interface outside1 eq https 
access-list outside1_access_in extended permit tcp any host 192.168.50.5 eq www 
access-list outside1_access_in extended permit tcp any host 192.168.50.5 eq https 
access-list outside1_access_in extended permit tcp object-group DM_INLINE_NETWORK_2 host 192.168.50.5 object-group RDP 
access-list outside1_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 192.168.50.5 eq ftp 
access-list dmz_access_in extended permit tcp any object Server2 eq www 
access-list dmz_access_in extended permit tcp any host 192.168.50.5 eq www 
access-list outside_access extended permit object http any object Server2 
access-list extended extended permit tcp any host 192.168.50.5 eq ftp 
access-list extended extended permit tcp any host 192.168.50.5 eq ftp-data 
access-group inside_access_in in interface inside
access-group outside_access in interface outside
access-group outside1_access_in in interface outside1 per-user-override
access-group dmz_access_in in interface dmz per-user-override
object network Server2
nat (dmz,outside1) static interface service tcp www www 
object network Server3
nat (dmz,outside1) static interface service tcp https https 
object network RDP2
nat (dmz,outside1) static interface service tcp 3389 3389 
object network ftp
nat (dmz,outside1) static interface service tcp ftp ftp 
ftp mode passive

Re: ftp traffic from dmz to outside

Jouni Forss — Thu, 06 Dec 2012 19:40:55 GMT

Hi,

According to the log message the connection is blocked by the access-list "dmz_access_in"

According to the configuration the mentioned ACL is attached to the direction "in" on the interface "dmz"

Looking at the actual list it seems to me that you have not made a rule that allows the host behind "dmz" interface to initiate a FTP Control connection (TCP/21).

Shouldnt this just be corrected with issuing the command

access-list dmz_access_in permit tcp host host eq 21

- Jouni

Re: ftp traffic from dmz to outside

apptionadmin — Thu, 06 Dec 2012 20:01:20 GMT

Hi Jouni,

That help with moving the traffic out. The problem now is the FTP Server is giving this error

000012) 12/6/2012 14:52:18 PM - (not logged in) (192.168.50.5)> Connected, sending welcome message...

(000012) 12/6/2012 14:52:18 PM - (not logged in) (192.168.50.5)> could not send reply, disconnected.

Stange thing is the Server is login the local IP of the test machine at the remote office should that be the External IP of the ASA firewall...

Thanks

ftp traffic from dmz to outside

Jouni Forss — Thu, 06 Dec 2012 20:10:43 GMT

Hi,

Just seems to me that the host 192.168.50.5 is initiating a connection from behind interface "dmz" and its getting blocked by the "dmz" interfaces access-list.

It would seem to me that the connection the mentioned host is trying to form and that is getting blocked is the actual Control connection of the FTP. So I'm not sure what situation the FTP servers log messages refer to when the firewall log says it has even blocked the initial connection.

Is some L2L VPN between the sites involved here?

Naturally the a more complete firewall configuration and specific source and destination IP address information for the attempted connection would make it easier to check what the problem might be. For example I don't know how you have configured NAT for the log messages source host 192.168.50.5.

- Jouni

ftp traffic from dmz to outside

apptionadmin — Thu, 06 Dec 2012 20:33:38 GMT

Hi,

There is a site to site VPN tunnel between the Network that let's the traffic from VLAN 192.168.3.x from Head office to remote office.

NAT info

object network ftp

nat (dmz,outside1) static interface service tcp ftp ftp

Should I be adding ftp-data to this NAT?

Thanks