06-17-2022 09:07 AM
There is a server on our environment that's running FileZilla and the way we have the rule set up using FMC is
Set up:
Objects:
- Public IP, Private IP.
- Ports that were asked to be opened.
NAT Rule: For the public IP to the Private IP
Initial Access Control Policy:
-Zone: SC: Internet, Destination: Lan
Network:
- SC: Any, Destination: Private IP
VLAN Tags, Users, Applications: Set to any.
Ports: SC: Any, Dest: the objects selected from when I created the ports.
URLS and SGT/ISE: any.
Issue
When someone tries to connect to the server they can get to the port, but TLS connection cant be authenticated so it closes the connection. Not sure what's going on.
Attempts to resolve.
I tried to allow any port to go through, anyone in the internet can go through.
Device Firewall has inbound and outbound ports allowed access.
in the Initial access control policy, I changed it from
SC: Any, Destination: Private IP to SC: Any, Destination: public IP.
Temp solution:
What seems to work at the moment is when I set up the rule action from Allowed to Trust it let the connection through and TLS authentication was a success, files can be transferred etc. Now if I understand correctly Trust doesn't monitor and basically allowed anything just to go through. Not sure if I want that.
Does anyone know why it's having this issue? The ASA isn't super configured so it can be assumed that it's a brand new ASA with very little configuration.
06-19-2022 02:37 PM
What are you using to transfer files? (FTP,SCP, sFTP, etc.)
So, Trust means just that you will bypass the SNORT process so the rule only acts as a regular ASA access-list rule. However, if you do have something in the rule that requires SNORT to process it and make a verdict on it, then the packet will be sent to SNORT even though you have it configured as trust. an example of this would be if you are using Application instead of, or as well as Port, then the packet will be sent to SNORT for processing Application. If you also have IPS configured for that rule then IPS will also be processed. The only way to truely circumvent SNORT is to either not configure anything that would require SNORT to process the packet or to configure the rule in pre-filter.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide