topic DMZ Config in Network Security

DMZ Config

rmwhite59 — Mon, 11 Mar 2019 11:41:04 GMT

I need a sample DMZ config for a 515. I am placing a FTP server in my dmz running SFTP

Re: DMZ Config

JORGE RODRIGUEZ — Sat, 08 Dec 2007 21:33:34 GMT

Hi Elliot, were you aware of sftp not supported in pix, refer to this Q&A document for the sftp support through firewall, you may also wannt to do forum search or google Firewalls in generals and sftp support to see how others have done it as I have seen many threads on this.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a0080094874.shtml

HTH

Jorge

Re: DMZ Config

rmwhite59 — Sat, 08 Dec 2007 23:06:01 GMT

Jorge,

I the sftp not supported in all cisco security appliances, i.e. ASA

Thanks.

Raymond

Re: DMZ Config

JORGE RODRIGUEZ — Sun, 09 Dec 2007 17:10:59 GMT

Hi Raymond, sorry for calling Elliot! on your question on asa it is not about that but I think it is about the mechanism of sftp/ftps and ftp and how firewall handles ports and inspection and this seems to be the common denominator on sftp, doing some brief reading there seems to be two ways for ftp dat security .. the sftp and ftp over ssh, you may be able to get ftp over ssh implemented on pix but the only way to find out is by implementing it to see if it does work.. you may need to look into an ftp client that suports secure ftp.. like global scape.. here is a link , http://www.cuteftp.com/cuteftppro

forms of securre ftp

http://www.process.com/tcpip/sft.pdf

You could start with somthing like this, say we have the following :

Local FTP server in DMZ: 172.16.1.1

Public NAT for FTP server 10.20.20.20

static (dmz,outside) 10.20.20.20 172.16.1.1 netmask 255.255.255.255

access-list outside_access_in permit tcp any host 10.20.20.20 eq 21

access-list outside_access_in permit tcp any host 10.20.20.20 eq 20

access-list outside_access_in permit tcp any host 10.20.20.20 eq 22

access-group outside_access_in in interface outside

let me know how this works if suitable, and if you decide to implement you may want to turn on fw syslog or setup syslog to see the traffic in the event it fails.

HTH

Jorge

pls rate any helpful post if it helps!

Re: DMZ Config

rmwhite59 — Sun, 09 Dec 2007 19:09:10 GMT

Jorge,

I have attached my config. The public ip for the ftp server is xx.xxx.xxx.51 Here is what I added which did not work. It also shut down traffic to the inside network from the outside.

static (dmz,outside) 66.xxx.xxx.51 172.16.1.10 netmask 255.255.255.255

access-list outside_access_in permit tcp any host 172.16.1.10 eq 21 access-list outside_access_in permit tcp any host 172.16.1.10 eq 20

access-list outside_access_in permit tcp any host 172.16.1.10 eq 22

access-group outside_access_in in interface outside

Any help would be appreciated

Re: DMZ Config

JORGE RODRIGUEZ — Sun, 09 Dec 2007 20:24:08 GMT

Before looking at config, what type of FTP server are you using e.g. Microsoft IIS or 3rd party ftp server if 3rd what type.?

Re: DMZ Config

rmwhite59 — Sun, 09 Dec 2007 20:25:34 GMT

WS-FTP

Re: DMZ Config

rmwhite59 — Sun, 09 Dec 2007 20:29:37 GMT

They access it using this application that is web base. WS-FTP is running on the server

http://www.jscape.com/sftpapplet/

Re: DMZ Config

JORGE RODRIGUEZ — Sun, 09 Dec 2007 21:48:26 GMT

You are using outside interface IP as suppose to spare public IP I thought you had spare pub ip, did you added in your current incoming acl, as well as static nat as bellow? to be on the same page this is for ftp over SSH which Jscale supports based on docs.. as long you allow passive mode on ftp this should work.

static(dmz,outside) tcp interface 20 172.16.1.X 20 netmask 255.255.255.255

static(dmz,outside) tcp interface 21 172.16.1.X 21 netmask 255.255.255.255

static(dmz,outside) tcp interface 22 172.16.1.X 22 netmask 255.255.255.255

where X is your ftp server in DMZ subnet.

access-list incoming permit tcp any host xx.xxx.xxx.53 eq 20

access-list incoming permit tcp any host xx.xxx.xxx.53 eq 21

access-list incoming permit tcp any host xx.xxx.xxx.53 eq 22

access-group incoming in interface outside

Re: DMZ Config

rmwhite59 — Sun, 09 Dec 2007 22:25:37 GMT

Outside interface ip is xx.xxx.xxx.53

spare public ip is xx.xxx.xxx.51

xx.xxx.xxx.51 is the public address used for the ftp server in the dmz

Thanks,

Raymond

Re: DMZ Config

JORGE RODRIGUEZ — Sun, 09 Dec 2007 23:33:25 GMT

ok , then your above static is correct but add additional three lines to "incoming" acl

static (dmz,outside) 66.xxx.xxx.51 172.16.1.10 netmask 255.255.255.255

access-list incoming permit tcp any host xx.xxx.xxx.51 eq 20

access-list incoming permit tcp any host xx.xxx.xxx.51 eq 21

access-list incoming permit tcp any host xx.xxx.xxx.51 eq 22

access-group incoming in interface outside

also make sure the ftp server in dmz is

indeed listening on those ports,by testing

from an outside source with a telnet test as bellow example.

e.g

c:\telnet 66.xxx.xxx.51 20 ... and do the same for 21 and 22 if get black screen on each of telnet test means you are hitting the server in dmz on each of those ports.. then test ftps.