Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1099
Views
0
Helpful
10
Replies

FTP ACL on inside and Outside Interface of ASA

Go to solution
mahesh18
Level 6
Level 6

‎06-08-2013 07:28 PM - edited ‎03-11-2019 06:55 PM

Hi Everyone,

On one of our Clients Network setup we have ACL  that permits FTP to  certain IP address on the inside interface.

Then they have outside interface of ASA which also has ACL that permits certain IP to allow FTP  in outgoing direction.

Need to undertstand is this design of config FTP is more secure ?

On my home ASA with base license i config the ACL to allow the FTP  to certain IP only on inside interface as traffic enters the ASA.

I was trying to LAB the clients ASA setup  on my home lab.

On my outside interface of ASA  i have ACL direction --------access-list outside_in

Is there way i can config  ACL  to allow FTP on outside interface also to allow same IP as on Inside interface?

As i read that on single interface you can have ASA only in 1 Direction.

Hope it make sense.

Regards

MAhesh

Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎06-08-2013 07:41 PM

Hello

U shoudl be able to aply one acl per direction per interface

Now if you apply it on the outside interface u should be fine as the acl check would be the same on both interfaces.

Do u follow me


Sent from Cisco Technical Support Android App

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎06-08-2013 11:00 PM

Hello Mahesh,

I am not sure I get the question...

But if you have an Inside FTP server which you will protect from the outside users and you want to restrict access to it,

You could use the ACL on the outside interface of the ASA,

Let's say you are running 8.4

The server IP address is 192.168.10.2

You will use the interface IP address to NAT the server

And you will only allow access from 4.2.2.2 to that server on the FTP service

so the Config would be something like this:

Object network FTP_Server

host 192.168.10.2

object service FTP

service source eq 21

nat (inside,outside) source static FTP_Server interface service FTP FTP

Now the ACL, to make it restrictive

access-list out_in permit tcp host 4.2.2.2 host 192.168.10.2 eq 21

access-group out_in in interface outside

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎06-09-2013 09:35 AM

Hello Mahesh,

If that's the case then:

I would say:

If you have more than the 2 interfaces (Inside,Outside) then you could apply an ACL on the outside interface via OUT but this is far from common,

What we usually see is just an ACL on each interface direction inbound,so you can filter the traffic to entering the device and taking resources from the ASA,

So my recommendation:

Just use one ACL for each traffic pattern and try to use it on a way that the traffic is limited to enter the traffic, in our case would be the one on the inside in direction ( you already have it, no need to use another one for the same traffic)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎06-09-2013 10:31 PM

Hello Mahesh,

When you say many inside interfaces... You mean a lot of interfaces with a higher security level right?

Well even if that is the case you will be placing ACLs on two sides of the network..

My recomendation would be place them as close to the source as possible, be as granular and restrictive as you can because you will be securing your perimiter,

I dont think is a good move to place the same ACL on 2 different sides, it just dont sound right

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎06-08-2013 07:41 PM

Hello

U shoudl be able to aply one acl per direction per interface

Now if you apply it on the outside interface u should be fine as the acl check would be the same on both interfaces.

Do u follow me


Sent from Cisco Technical Support Android App

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Julio Carvajal

‎06-08-2013 09:51 PM

Hi Julio,

You can explain me in detail that how can i apply on outside interface and which direction?

Thanks

Mahesh

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎06-08-2013 11:00 PM

Hello Mahesh,

I am not sure I get the question...

But if you have an Inside FTP server which you will protect from the outside users and you want to restrict access to it,

You could use the ACL on the outside interface of the ASA,

Let's say you are running 8.4

The server IP address is 192.168.10.2

You will use the interface IP address to NAT the server

And you will only allow access from 4.2.2.2 to that server on the FTP service

so the Config would be something like this:

Object network FTP_Server

host 192.168.10.2

object service FTP

service source eq 21

nat (inside,outside) source static FTP_Server interface service FTP FTP

Now the ACL, to make it restrictive

access-list out_in permit tcp host 4.2.2.2 host 192.168.10.2 eq 21

access-group out_in in interface outside

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Julio Carvajal

‎06-09-2013 07:19 AM

Hi Julio,

Here i was refering to External FTP server  on internet.

Clients FW config has ACL on inside interface of Fw that allows FTP to certain IP only.

Then they have ACL on the outside interface of FW  direction is traffic going out from the outside interface of FW.

I was referring to know if this setup is more secure to config ACL to allow FTP?

Thanks

Mahesh

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎06-09-2013 09:35 AM

Hello Mahesh,

If that's the case then:

I would say:

If you have more than the 2 interfaces (Inside,Outside) then you could apply an ACL on the outside interface via OUT but this is far from common,

What we usually see is just an ACL on each interface direction inbound,so you can filter the traffic to entering the device and taking resources from the ASA,

So my recommendation:

Just use one ACL for each traffic pattern and try to use it on a way that the traffic is limited to enter the traffic, in our case would be the one on the inside in direction ( you already have it, no need to use another one for the same traffic)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Julio Carvajal

‎06-09-2013 07:50 PM

Hi julio,

If in network we  have many inside interfaces  and there is lot of lan segmentation then i think its ok to have ACL for

FTP on both inside and outside interfaces.

Thanks

MAhesh

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎06-09-2013 10:31 PM

Hello Mahesh,

When you say many inside interfaces... You mean a lot of interfaces with a higher security level right?

Well even if that is the case you will be placing ACLs on two sides of the network..

My recomendation would be place them as close to the source as possible, be as granular and restrictive as you can because you will be securing your perimiter,

I dont think is a good move to place the same ACL on 2 different sides, it just dont sound right

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Julio Carvajal

‎06-10-2013 07:31 AM

Hi Julio,

When i say many inside interfaces yes it mean lot of interfaces with higher security level.

Regards

Mahesh

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to mahesh18

‎06-10-2013 09:28 AM

Hello Mahesh,

Okey, yeah I dont see any reason for having a doble check regarding the same traffic patterns,

Any other question I can answer from u regarding this?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Julio Carvajal

‎06-10-2013 01:44 PM

Hi Julio,

No more questions on this.

Thanks

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card