Allowing access for a site with dynamic IP

Mitchell Theriot · ‎07-31-2013

We have an ASA 5555 that has an ftp server behind the DMZ interface. Our security policy restricts access to this ftp server to only authorized users/sites. We have a user who needs access to this ftp server and their ISP will not assign them a static IP address so their external IP keeps changing. Right now every month we have to edit the access list to reflect the new source IP address for the user. Is there a better way to handle allowing this access or is static IP addressing for them the only real solution?

Jouni Forss · ‎07-31-2013

Hi,

I would have to say that having a static public IP address would be the easiest way.

I guess the user could ask the ISP if they would be able to assing him/her a static DHCP public IP address based on the users Internet routers/modems MAC address.

You could also consider allowing VPN Client access to your ASA for this user and in that way confirm that the user can both get access to the FTP server and that the users is actually the trusted user since he has to authenticate while forming the VPN client connection. And you can naturally build the VPN configuration in a way that it only tunnels traffic to the FTP server (Split Tunnel) and lets all the other traffic of the user flow freely. Or naturally Full Tunnel with restricted access only to FTP server is also an option.

- Jouni

turbo_engine26 · ‎08-02-2013

I think Static PAT using the ASA outside interface's public IP address is a good option if there is no a dedicated static IP address to give.

object network FTP_Host

host 192.168.1.10

nat (dmz,outside) static interface service tcp 21 21

Regards,

AM

Jouni Forss · ‎08-02-2013

I think the NAT portion has already been handled but the problem is rather that the client side has a changing DHCP IP address and therefore the ACL rule has to be changed at the server side whenever the DHCP IP of the client changes.

Additionally, the OP could consider perhaps configuring a L2L VPN between the sites. You can configure the ASA to accept L2L VPN connection even though the remote end has an IP Address that changes. This would enable you to always know where the connection from this particular client are coming from as you could define the source address inside the VPN.

- Jouni

turbo_engine26 · ‎08-03-2013

Looks like i understood the scenario oppositely.

In this case, why not doing a dynamic PAT for these users on their firewall or router so they can appear to the FTP server as one source public IP then further restrict the access at the FTP site level? .. There are usernames and passwords configured in the FTP server for authorized users. Therefore, even if unauthorized users initiates connections to the FTP server (because of the dynamic PAT), they will not gain access.

VPN is a good solution for this but requires more special configurations to build a tunnel that may not be required by their organization.

Regards,

AM

Jouni Forss · ‎08-03-2013

Hi,

I guess the policy is to not even allow the users to get to the username/password prompt if they arent coming from the correct source address.

In this case no NAT on the user/client side will really solve this as long as the public IP address keeps changing because the ISP has assigned the user only a DHCP IP address.

I think there is yet one more option that came to my mind. I am not sure how convinient it is but the client/user could use DynDNS and you could set your ASA to resolve the public IP address of the remote client/user and create the ACL rule on the basis of the FQDN.It should fit your need since the customer IP doesnt change that often.

Creating ACL rules on the basis of FQDN in normal cases for popular sites doesnt work that well since there are multiple public IP addressess and the ASA doesnt keep up that well with its FQDN to IP updates.

- Jouni