Solved: Allowing FTP from ASA

mahesh18 · ‎06-03-2013

Hi Everyone,

Need to allow FTP to particular website in the Internet.

ASA has already object group network to allow FTP out towards the Internet sites.

So i can simply add the network-object host 200.x.x.x?

This i can add to outside interface of ASA under outgoing rules right?

Do i also need to put any rule in Outside interface in incoming direction?

thanks

mahesh

Jouni Forss · ‎06-03-2013

Hi,

It depends,

If you have no ACLs in the interfaces behind which the host attempting the FTP connection to Internet resides THEN the "security-level" value dictates if the connection is allowed. Though usually any interface other than the "outside" is higher than "security-level 0" so usually the connection would be allowed.

What you should do next is determine behind which interface the host attempting the FTP connection is. This can naturally be done with the command

show route

Then you should confirm if this interface has an ACL attached

show run access-group

If the listing shows an ACL attached to that interface then you should determine if you need an ACL rule to allow the traffic. For this you naturally use the "packet-tracer" command

packet-tracer input tcp 12345 21

In the above you naturally replace the with the actual name of the ASA interface behind which the host is located. The will naturally be replaced with the IP address of the host. And finally the will be replaced with the destination FTP servers IP address. That is, if you are trying to allow FTP to only certain destination IP address.

The source port is I used is just an example and is not important in this case. The destination port is 21 which is the FTP port.

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎06-03-2013

And to further clarify the how the interface ACLs should be configured in my opinion

Lets use an ASA5505 as an example and lets say it has the following interfaces

interface Vlan1

description LAN

nameif LAN

security-level 100

ip add 10.10.10.1 255.255.255.0

interface Vlan2

description DMZ

nameif DMZ

security-level 50

ip add 192.168.10.1 255.255.255.0

interface Vlan10

description WAN

nameif WAN

security-level 0

ip add 1.1.1.1 255.255.255.0

Lets say you wanted to allow ALL traffic from behind the LAN and DMZ interfaces then you could configure the following simple ACLs

access-list LAN-IN remark Allow all traffic from the LAN

access-list LAN-IN permit ip 10.10.10.0 255.255.255.0 any

access-group LAN-IN in interface LAN

access-list DMZ-IN remark Allow all traffic from the LAN

access-list DMZ-IN permit ip 192.168.10.0 255.255.255.0

access-group DMZ-IN in interface DMZ

Notice that we attach both the interface ACLs in the direction "in" in the "access-group" command. This will mean that the ACL controls traffic coming from behind that interface. After we have allowed the traffic we wanted in the ACL, we dont need to allow it in any other ACL.

Now lets take an example of allowing traffic from the Internet

You for example configure a Static NAT (software level 8.2 and below format) for a DMZ server

You first configure Static NAT

static (DMZ,WAN) 1.1.1.2 192.168.10.2 netmask 255.255.255.255

Since we dont have any ACL attached to the "WAN" interface yet we need to create a new ACL and attach it in the direction "in" in the "access-group" command since we want to control traffic entering through the "WAN" interface

access-list WAN-IN remark Allow HTTP traffic to DMZ server

access-list WAN-IN permit tcp any host 1.1.1.2 eq www

access-group WAN-IN in interface WAN

So as you can see we always control the traffic entering the interface. In other words we are controlling traffic entering some ASA interface while its heading out to some network behind another interface.

Hope I made sense

- Jouni

View solution in original post

Jouni Forss · ‎06-03-2013

Hi,

Allowing FTP traffic from INSIDE to OUTSIDE depends completely on your current setup. We would need more information about this.

Is this another lab setup or a production environment?

In general I would have to say that you almost always configure ACLs only in the direction "in". An ACL on the "inside" interface which is attached to the direction "in" controls the outbound traffic from the "inside" to the "outside". So you usually use this ACL when you want to allow traffic from the LAN to the Internet.

And ACL on the "outside" interface which is attached to the direction "in" controls the inbound traffic from the "outside" to the "inside". This ACL is usually used to open connections from Internet to your servers which have been configured with Static NAT or Static PAT.

In a situation where you have a very basic ASA with only "security-level" configured with "outside" being "0" and "inside" being "100" then you dont need to configure any ACL as the connections from "inside" to "outside" are allowed by default because of the "security-level" value. Naturally as soon as you attach an ACL to the "inside" interface you will need to allow the traffic you need as the "security-level" looses its meaning.

In the case if you have an existing ACL and want to make sure that one hosts FTP connections to the public network are allowed then you can insert the new rule to the top of the existing ACL

For example if you have an ACL named INSIDE-IN attached to the "inside" interface with the command "access-group INSIDE-IN in interface inside" Then you could add the following

access-list INSIDE-IN line 1 remark Allow FTP for a host

access-list INSIDE-IN line 2 permit tcp host host eq ftp

Thats about it

But as I said, we would need more information about the current setup to give any kind of specific answer

I would advice against configuring ACLs in the direction "out" on an ASA (with the access-group command). It just creates complicated setups to manage. Also, you dont need to allow the traffic in both directions as you only have to allow the connection from the host to the Internet. You dont have to allow the connection from the remote host to the local host. The "inspect ftp" will automatically allow the Data connections of the FTP if they are opened from the FTP servers direction.

Hope I made any sense

- Jouni

mahesh18 · ‎06-03-2013

Hi jouni,

Its for Production Network and i have to use the existing setup here.

you explained the concept very well.

If on ASA outside interface i used source as any and ASA has say 10 other interfaces.

And if user is behind any of those interfaces then he can talk to FTP server which is outside right?

Regards

Mahesh

Jouni Forss · ‎06-03-2013

Hi,

It depends,

If you have no ACLs in the interfaces behind which the host attempting the FTP connection to Internet resides THEN the "security-level" value dictates if the connection is allowed. Though usually any interface other than the "outside" is higher than "security-level 0" so usually the connection would be allowed.

What you should do next is determine behind which interface the host attempting the FTP connection is. This can naturally be done with the command

show route

Then you should confirm if this interface has an ACL attached

show run access-group

If the listing shows an ACL attached to that interface then you should determine if you need an ACL rule to allow the traffic. For this you naturally use the "packet-tracer" command

packet-tracer input tcp 12345 21

In the above you naturally replace the with the actual name of the ASA interface behind which the host is located. The will naturally be replaced with the IP address of the host. And finally the will be replaced with the destination FTP servers IP address. That is, if you are trying to allow FTP to only certain destination IP address.

The source port is I used is just an example and is not important in this case. The destination port is 21 which is the FTP port.

Hope this helps

- Jouni

Jouni Forss · ‎06-03-2013

And to further clarify the how the interface ACLs should be configured in my opinion

Lets use an ASA5505 as an example and lets say it has the following interfaces

interface Vlan1

description LAN

nameif LAN

security-level 100

ip add 10.10.10.1 255.255.255.0

interface Vlan2

description DMZ

nameif DMZ

security-level 50

ip add 192.168.10.1 255.255.255.0

interface Vlan10

description WAN

nameif WAN

security-level 0

ip add 1.1.1.1 255.255.255.0

Lets say you wanted to allow ALL traffic from behind the LAN and DMZ interfaces then you could configure the following simple ACLs

access-list LAN-IN remark Allow all traffic from the LAN

access-list LAN-IN permit ip 10.10.10.0 255.255.255.0 any

access-group LAN-IN in interface LAN

access-list DMZ-IN remark Allow all traffic from the LAN

access-list DMZ-IN permit ip 192.168.10.0 255.255.255.0

access-group DMZ-IN in interface DMZ

Notice that we attach both the interface ACLs in the direction "in" in the "access-group" command. This will mean that the ACL controls traffic coming from behind that interface. After we have allowed the traffic we wanted in the ACL, we dont need to allow it in any other ACL.

Now lets take an example of allowing traffic from the Internet

You for example configure a Static NAT (software level 8.2 and below format) for a DMZ server

You first configure Static NAT

static (DMZ,WAN) 1.1.1.2 192.168.10.2 netmask 255.255.255.255

Since we dont have any ACL attached to the "WAN" interface yet we need to create a new ACL and attach it in the direction "in" in the "access-group" command since we want to control traffic entering through the "WAN" interface

access-list WAN-IN remark Allow HTTP traffic to DMZ server

access-list WAN-IN permit tcp any host 1.1.1.2 eq www

access-group WAN-IN in interface WAN

So as you can see we always control the traffic entering the interface. In other words we are controlling traffic entering some ASA interface while its heading out to some network behind another interface.

Hope I made sense

- Jouni

mahesh18 · ‎06-04-2013

Hi jouni,

You explained very well but here i have to work according to the current setup here.

I will test this on my home lab by config ACL towards the in ward direction of outside interface of ASA.

Regards

Mahesh