Re: Routing FTP on a 515E

PE-PatInBC · ‎04-05-2005

I guess I'm looking for the best practices for accessing an FTP server from the outside and the inside if it is on my DMZ.

I have a FTP server in my DMZ. The FTP server only has one interface configured on the 192.168.20.0 network with a translation rule out to a routable address given to me by my ISP. All users from the outside can access it with no problems. If a client from the inside of my network tries to access it using the outside routable IP address, it times out. My syslogs show that it was PERMITTED but my FTP client times out.

Should I be giving my clients on the inside access to the FTP server from the INSIDE interface to the DMZ or is it OK for them to have to go outside and come back in ? Did I explain this clearly enough ?

Any thoughts would be appreciated.

fedrodri · ‎04-05-2005

Hi,

Let me see if I understand this correctly. You have your FTP server on the dmz, which is accessed with no problems from the outside. You must have something like this:

static (dmz,outside) public-ip private-ip

Then, you have your inside LAN trying to access that server with its public ip (called public-ip in this example). Now, how are you translating that dmz server to the inside, for it to be accessed from the inside with its public IP? Do you have something like this configured (outside NAT)?:

static (dmz,inside) public-ip private-ip

If so, this is not all that you would need. You also need a translation rule from inside to dmz, something like this:

nat (inside) 1 0.0.0.0 0.0.0.0

global (dmz) 1 interface

!-- or,

static (inside,dmz) internal-LAN internal-LAN netmask internal-LAN-mask

Or anything similar to it. The thing is that to allow outbound traffic (from inside to dmz) using the dmz server's public IP, you have to translate that server to the inside and present it with its public IP (on the inside interface); then you need to have a translation method between the inside and the dmz.

I hope that I did not manage to confuse you. Anyway, let us know if this answers your questions, or if you have any questions regarding this issue.

Thanks,

Federico Rodriguez

Patrick Iseli · ‎04-05-2005

First at all it is not possible to access the FTP server from the inside network with its public IP.

Why? Because the PIX ASA security architecture does not permit to leave to the outside interface and then reconnect back via the same interface to the DMZ interface.

There is a way with destination NAT (old alias) to tweak that but even with that you need to disable NAT between the inside end the DMZ interface.

You accomplish that you can configure "nat" or a NONAT which is a one way trust or configure a static that disables NAT, which is a two way trust.

Note that without an access-list on the DMZ interface you cannot access to the inside interface even if you configure the two way trust with a static command.

Example 1 - 2 way trust:

static (inside,dmz) InsideNet InsideNet netmask InsideSubnetMask 0 0

# This allows the inside hosts to access the ftp sever with its dmz IP (Private IP). Without an access-list on the dmz interface, the DMZ hosts cannot access the inside host which is the good security practice.

Example 2 - one way trust with NONAT:

access-list NONAT permit ip Internalnet ISubnet DMZ-Network DMZ-Subnet

nat (inside) 0 access-list NONAT

# This allows the inside hosts to access the ftp sever with its dmz IP (Private IP). All hosts will appear on the FTP server with their local IP.

Example 3 - one way trust with PAT DMZ IP:

global (dmz) 3 interface

nat (inside) 3 InsideNet InsideSubnetMask

# This allows the inside hosts to access the ftp sever with its dmz IP (Private IP) all host will use a Port forwarding with the DMZ interface IP address.

I personaly use Example ONE in most of the time !

Destination NAT to translate from the public IP to the internal IP via DNS reply.

static (inside,outside) PublicFTP-IP DMZ-FTP-Server-IP dns

sincerely

Patrick