Solved

FTP Server on Win2k3 via DMZ in CISCO 515

Posted on 2003-11-26
15
724 Views
Last Modified: 2013-11-16
Hi all,

Would some one please give me an overview of what I would need to do to put a FTP server (Win2k3) on the DMZ port of my Cisco 515.
I have to use Win2k3 web server as the License is already purchased. I have built the server and its ready to go...
I just need to allow access for web users to download SW builds. I'm confused how I would manage the FTP server from inside the LAN.
Also what security measures should I take on the FTP server? I will keep it patched and remove any accounts that could gain access to the internal LAN. Is this enough? I'd guess not.
I only have a couple of weeks to nail this, so plenty of points up for grabs. I'm a bit new to some of this so the clearer the better. Thank you all.



0
Comment
Question by:TimWe
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
15 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 400 total points
ID: 9825841
The PIX part is easy.

Assume your INside interface is 192.168.111.1
Assume your DMZ interface is 192.168.122.1
Assume your FTP server is 192.168.122.22 - set default gateway to be 192.168.122.1
A.B.C.D = public IP address dedicated to FTP server
# create static NAT map from public IP to private IP
static (dmz,outside) A.B.C.D 192.168.122.22 netmask 255.255.255.255
# create inbound access-list entries (assuming that you already have an inbound acl for other purposes, add this line:
access-list inbound_acl permit tcp any host A.B.C.D eq ftp

# to manage the server on the DMZ from the Inside, I suggest enabling Terminal Services on the server and only using that to manage it. No port entires or acls required, but you do want to NOT NAT between the inside and DMZ host:

access-list NO_NAT permit tcp 192.168.111.0 255.255.255.0 192.168.122.22 eq 3389

Now, from an inside PC, use Remote Desktop Connect to the Win2k3 server, using it's 'private' ip address 192.168.122.22

I will look for more links specific to 'locking down' a Win2k3 FTP server...

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9825938
0
 

Author Comment

by:TimWe
ID: 9830502
Thanks Irmoore for the very speedy response, If I get stuck is okay to post a follow up?
Other than that many thanks indeed.

T
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 

Author Comment

by:TimWe
ID: 9832103
Hello Again,

Do I just add these lines from the CLI?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9832130
Follow ups are always welcome.
yes, from the CLI..
0
 

Author Comment

by:TimWe
ID: 9832661
:¬) I thought I had it and to honest it seems fairly simple...here comes the But.

Using your analagy what do I assign A.B.C.D to? Is it to a physical NIC? Hmm Confused...

I have assigned 192.168.122.22 -on my FTP Server NIC  set default gateway to be 192.168.122.1 -(DMZ  NIC)

I have assigned 192.168.122.1 to my Spare Cisco NIC (renamed to DMZ)

I have assigned 192.168.111.1 to my Internal (Safe) Cisco NIC

Now I already have W.X.Y.Z as an external (Unsafe) interface on my Cisco this attaches to my ISP's Router.

I have no other NICs in my Cisco, Just the External, internal & Renamed DMZ.

Do you want some more points :¬)

Can't help thinking the penny is yet to drop...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9838109
A.B.C.D would be a public IP address. Is the Interface (W.X.Y.Z) the only public IP that you have?
0
 

Author Comment

by:TimWe
ID: 9851195
No i have a few issued by my isp (6)...

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9852541
OK, then use one of those 6 addresses
0
 

Author Comment

by:TimWe
ID: 9856813
Got you there, I understood that part, but do I have to assign the public IP address (A.B.C.D) to a Nic?
Sorry if I'm being a bit dull here..but i cant see what the new A.B.C.D address is bound to.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9857369
Once you assign it a static nat, that is all you have to do.

static (dmz,outside) <public ip> <private ip> netmask 255.255.255.255

i.e.
static (dmz,outside) A.B.C.D 192.168.122.22 netmask 255.255.255.255

Now, the outside interface will forward all traffic destined for A.B.C.D to the dmz host 192.168.122.22
The server only has 192.168.122.22 bound to its interface.
0
 

Author Comment

by:TimWe
ID: 9867995
Dood, you are splendid...

Can I give you some more points for being patient?

I bought the book from Amazon, only arrived today but so far it looks good.

Many Thanks Indeed
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9868185
Glad to be of service.
No need for more points, just close this one out and keep us in mind for your next dilema..

- Cheers!
0
 

Author Comment

by:TimWe
ID: 10053318
Hello Again Are you still around, as I have another question..
I cant seem to get this to work. Below I have pasted your sound advice, In brackets I have added my own IP address.
Does the DMZ interface have to be on a differnt subnet to the inside interface?

Assume your INside interface is 192.168.111.1 (10.10.10.253 my IP)
Assume your DMZ interface is 192.168.122.1 (10.10.10.14 this I have just named and can be changed again)
Assume your FTP server is 192.168.122.22 (10.10.10.8 the ip for my FTP server NIC)- set default gateway to be 192.168.122.1 (10.10.10.14)
A.B.C.D = public IP address dedicated to FTP server.. (Got that OKay)
# create static NAT map from public IP to private IP
static (dmz,outside) A.B.C.D 192.168.122.22 (10.10.10.8) netmask 255.255.255.255
# create inbound access-list entries (assuming that you already have an inbound acl for other purposes, add this line:
access-list inbound_acl permit tcp any host A.B.C.D eq ftp

# to manage the server on the DMZ from the Inside, I suggest enabling Terminal Services on the server and only using that to manage it. No port entires or acls required, but you do want to NOT NAT between the inside and DMZ host:

access-list NO_NAT permit tcp 192.168.111.0 (10.10.10.0 this is the text im using) 255.255.255.0 192.168.122.22 (again 10.10.10.8 FTP server Nic) eq 3389

Now, from an inside PC, use Remote Desktop Connect to the Win2k3 server, using it's 'private' ip address 192.168.122.22 (10.10.10.8)


Do you understand that? or have i screwed it up?

Just to clarify the IP's in the brackets are the IP address im actually using.

Many Thank Again

Tim
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10056313
subscribed

PL
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Server 2012 network 51 122
Active & Standby with dual ISP scenario 4 120
IP Phones with SonicWall 6 88
increase internet speed 3 104
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question