Solved: Re: Deny ftp in interface inside

acira · ‎03-04-2005

I want to control outbound ftp on the inside interface of my firewall.

So, I submitted the following command:

access-list 111 permit tcp host <host ip> any eq ftp

access-list 111 deny tcp any any eq ftp

access-group 111 in interface inside

However, I can still ftp from any workstation. My goal is to control bandwith usage by allowing one or two workstations ftp access.

What commands am I missing?

Patrick Iseli · ‎03-07-2005

Yes that is the problem, order matters.

Change the access-list to that:

access-list 111 permit tcp host any eq smtp

access-list 111 deny tcp any any eq smtp

access-list 111 permit tcp host any eq https

access-list 111 permit tcp host any eq ftp

access-list 111 deny tcp any any eq ftp

access-list 111 permit ip any any

access-group 111 in interface inside

Other thing (access-list 111 permit tcp host any eq https) does not really change anything because there is no deny for the protocol after it will just log the hitcounts but not deny https.

sincerely

Patrick

View solution in original post

Patrick Iseli · ‎03-04-2005

This part of the access-list is fine. It basicly allows a few hosts to ftp.

Dont forget that at the end of the access-list follows a deny any any (not shows in the config) so all other traffic will be blocked on the inside interface.

What about hitcounts when you do a:

show access-list 111

Is Access-group activated ?

show access-group

sincerely

Patrick

bhillman · ‎03-06-2005

I'm not sure if its worth mentioning here, but noe of this takes affect until you write it to memory on a PIX. You will stop ALL traffic except this one host being able to do FTP when you implement this access list on the inside interface. You need to include a permit ip any any at the end to get around the restrictions you have put in place for all other traffic.

The PIX allows all traffic outbound by default, but once you add an access-list you must allow all traffic that you want to pass.

acira · ‎03-07-2005

Yes, that is worth mentioning. My access-list commands are as follows for inside interface:

access-list 111 permit tcp host any eq smtp

access-list 111 deny tcp any any eq smtp

access-list 111 permit ip any any

access-list 111 permit tcp host any eq https

access-list 111 permit tcp host any eq ftp

access-list 111 deny tcp any any eq ftp

access-group 111 in interface inside

I did write to memory and clear xlate. I did include the command "access-list 111 permit ip any any", but is the order in which it is placed amongst other ACLs on the inside interface matter?

Thx, Andrew

acira · ‎03-07-2005

These are access-list commands on the inside interface:

access-list 111 permit tcp host any eq smtp

access-list 111 deny tcp any any eq smtp

access-list 111 permit ip any any

access-list 111 permit tcp host any eq https

access-list 111 permit tcp host any eq ftp

access-list 111 deny tcp any any eq ftp

access-group 111 in interface inside

Yes, I have the access-group activated. I did write to memory and clear xlate.

Thx, Andrew

Patrick Iseli · ‎03-07-2005

Yes that is the problem, order matters.

Change the access-list to that:

access-list 111 permit tcp host any eq smtp

access-list 111 deny tcp any any eq smtp

access-list 111 permit tcp host any eq https

access-list 111 permit tcp host any eq ftp

access-list 111 deny tcp any any eq ftp

access-list 111 permit ip any any

access-group 111 in interface inside

Other thing (access-list 111 permit tcp host any eq https) does not really change anything because there is no deny for the protocol after it will just log the hitcounts but not deny https.

sincerely

Patrick