Link to home
Start Free TrialLog in
Avatar of QcHoldings
QcHoldingsFlag for United States of America

asked on

What's the best way to open pinholes in a PIX 515E?

We've got a partner who needs to be able to ftp into our network and upload files, but we need to keep this as secure as possible.  We've got an ftp server that works with both implicit and explicit ftps (ftp over ssl), and is able to provide the client with the appropriate data ports.  For security reasons, we're redefining the ports we will use (with the exception of port 990, which is required for implicit ftps).  Basicly, we want to open pinholes that only allow ports 990, 11000 for explicit ftps using SSL or TLS, then 11001 through 11006.  However, they can only come from the partner's IP address.  We've already got an access list (100) applied for inbound traffic from the outside interface.

So, the question is, what's the best way to configure the PIX for this?  One way is by just setting up individual commands.  However, isn't there a way to use some sort of a range command, rather than using individual lines for the ports, which would bring this down to just 2 lines?

access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 990
access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 11000
access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 11001
access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 11002
access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 11003
access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 11004
access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 11005
access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 11006

static (inside,outside) 1.2.3.4 10.1.1.56 netmask 255.255.255.255

Am I correct in the belief that this will only allow access from 4.3.2.1 to our internal ftp server on the listed ports?

The partner's address is 4.3.2.1, the external interface on our pix redirects from 1.2.3.4 to 10.1.1.56, which is our ftp server.

While this isn't too bad, it's going to be a real pain later on when the time comes to add partner IP addresses to be able to use this service.  Would setting up object groups, one for the network address of the partners, one for the services make it easier to manage?  I haven't really worked with object groups on a PIX before:  What might the commands look like.

The order of preference in results is 1) Security, where we strictly limit outside access, and 2) Ease of management.

Thanks in advance,

Mark

ASKER CERTIFIED SOLUTION
Avatar of rsivanandan
rsivanandan
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of giltjr
Since you are NAT'ing and doing passive, you will want to make sure that the ftp client supports issing the EPSV instead of the PASV command.  This alters the format of the PORT command so that is does not include the servers IP address, just the port that the server will be listening on.  If you do this, the PORT command will contain your private IP address and the remote client will attempt to connect to the private address.

Avatar of QcHoldings

ASKER

Sorry, I should have mentioned that the secure ftp server that we're using allows me to not only specify the range of ports for PASV transfers, but also the NATed public IP address of the ftp server.

It's actually a very cool, easy to use, and inexpensive Windows based ftp server that supports ftps, the Gene6ftp server (http://www.g6ftpserver.com).  It doesn't have all the bells and whistles (nor all of the features) of the GlobalScape Secure or Enhanced ftp servers, but it's pretty nifty, and a lot less expensive.

Thanks!
No problem.  I know that some allow this, because of issue with clients not supporting EPSV.  Better that it is mentioned and it not be an issue that it not be mentioned and it is an issue.