Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
461
Views
0
Helpful
4
Replies

FTP Access in Company

Jigar Dave
Level 3
Level 3

‎01-12-2013 10:35 PM - edited ‎03-11-2019 05:46 PM

Hi Team,

I want to know your thoughts on providing FTP access from Firewall for different users in Company.

we have various departments and couple of user's are requesting FTP access to different external vendors. we are keep opening Firewall rules for them but sometime they are not coming back to us if their access purpose is done. also it would be difficult for us to maintain firewall policies because people are moving across location and asking to change their IP addresses, this is keep increasing incidents to maintain their requirements.

I would like to know your thoughts on how the way we should provide FTP access to different users in company.

this may be a interesting discussion topic because I am sure every Firewall admin has came across the situation like me.

Thanks in advance.


Labels:
0 Helpful
4 Replies 4

Michal Garcarz
Cisco Employee
Cisco Employee

‎01-12-2013 11:20 PM

Hi Jigar

You might want to use:

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/aaa_idfw.html

Then your rules will not be IP based but ActiveDirectory username based, example:

access-list outside extended permit ip user CISCO\user1 any 10.0.0.0 255.255.255.0


---
Michal
0 Helpful

shamax_1983
Level 3
Level 3

‎01-13-2013 03:32 AM

Hello Jigar,

In addition to Michal's suggestion, you can also configure RA VPN, Have one tunnel group for each Company and apply the base policies on the group-policy ( you can include split-tunnel, traffic filtering and heaps of other attributes for the whole group ) and if you need more specific rules for some users within the company/tunnel-group, you can always attach user attributes per user basis ( which will override the group-policy attributes ).

Please rate helpful posts

Shamal

0 Helpful

Karsten Iwen
VIP
VIP

‎01-13-2013 03:44 AM

Your problem doesn't look like a technical one. It's more a problem of practices in your organizations.

Michals suggestion with the identity-firewall is a very good choice if you still want to keep complete control over the traffic that is allowed through your firewall. But your post sounds a little bit that you would like to delegate the work.

For that, an FTP-proxy in the DMZ could be a solution. This proxy is allowed to access the internet with FTP on your firewall. And you can delegate to administration of that proxy to the desktop-crew which are probably the admins that know best who needs FTP-access and who doesn't.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Jigar Dave
Level 3
Level 3
In response to Karsten Iwen

‎01-13-2013 08:51 AM

Thanks guys, but I would love to hear what are the techniques you people are using for providing FTP access in your organizations. An overview on the way different firewall admins have set into their companies would be good. If anyone is interested to share that here, this is much appreciated.


Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card