01-12-2013 10:35 PM - edited 03-11-2019 05:46 PM
Hi Team,
I want to know your thoughts on providing FTP access from Firewall for different users in Company.
we have various departments and couple of user's are requesting FTP access to different external vendors. we are keep opening Firewall rules for them but sometime they are not coming back to us if their access purpose is done. also it would be difficult for us to maintain firewall policies because people are moving across location and asking to change their IP addresses, this is keep increasing incidents to maintain their requirements.
I would like to know your thoughts on how the way we should provide FTP access to different users in company.
this may be a interesting discussion topic because I am sure every Firewall admin has came across the situation like me.
Thanks in advance.
01-12-2013 11:20 PM
Hi Jigar
You might want to use:
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/aaa_idfw.html
Then your rules will not be IP based but ActiveDirectory username based, example:
access-list outside extended permit ip user CISCO\user1 any 10.0.0.0 255.255.255.0 --- Michal
01-13-2013 03:32 AM
Hello Jigar,
In addition to Michal's suggestion, you can also configure RA VPN, Have one tunnel group for each Company and apply the base policies on the group-policy ( you can include split-tunnel, traffic filtering and heaps of other attributes for the whole group ) and if you need more specific rules for some users within the company/tunnel-group, you can always attach user attributes per user basis ( which will override the group-policy attributes ).
Please rate helpful posts
Shamal
01-13-2013 03:44 AM
Your problem doesn't look like a technical one. It's more a problem of practices in your organizations.
Michals suggestion with the identity-firewall is a very good choice if you still want to keep complete control over the traffic that is allowed through your firewall. But your post sounds a little bit that you would like to delegate the work.
For that, an FTP-proxy in the DMZ could be a solution. This proxy is allowed to access the internet with FTP on your firewall. And you can delegate to administration of that proxy to the desktop-crew which are probably the admins that know best who needs FTP-access and who doesn't.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-13-2013 08:51 AM
Thanks guys, but I would love to hear what are the techniques you people are using for providing FTP access in your organizations. An overview on the way different firewall admins have set into their companies would be good. If anyone is interested to share that here, this is much appreciated.
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide