[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

What's the best way to open pinholes in a PIX 515E?

Posted on 2006-07-21
4
Medium Priority
?
399 Views
Last Modified: 2013-11-29
We've got a partner who needs to be able to ftp into our network and upload files, but we need to keep this as secure as possible.  We've got an ftp server that works with both implicit and explicit ftps (ftp over ssl), and is able to provide the client with the appropriate data ports.  For security reasons, we're redefining the ports we will use (with the exception of port 990, which is required for implicit ftps).  Basicly, we want to open pinholes that only allow ports 990, 11000 for explicit ftps using SSL or TLS, then 11001 through 11006.  However, they can only come from the partner's IP address.  We've already got an access list (100) applied for inbound traffic from the outside interface.

So, the question is, what's the best way to configure the PIX for this?  One way is by just setting up individual commands.  However, isn't there a way to use some sort of a range command, rather than using individual lines for the ports, which would bring this down to just 2 lines?

access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 990
access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 11000
access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 11001
access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 11002
access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 11003
access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 11004
access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 11005
access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 11006

static (inside,outside) 1.2.3.4 10.1.1.56 netmask 255.255.255.255

Am I correct in the belief that this will only allow access from 4.3.2.1 to our internal ftp server on the listed ports?

The partner's address is 4.3.2.1, the external interface on our pix redirects from 1.2.3.4 to 10.1.1.56, which is our ftp server.

While this isn't too bad, it's going to be a real pain later on when the time comes to add partner IP addresses to be able to use this service.  Would setting up object groups, one for the network address of the partners, one for the services make it easier to manage?  I haven't really worked with object groups on a PIX before:  What might the commands look like.

The order of preference in results is 1) Security, where we strictly limit outside access, and 2) Ease of management.

Thanks in advance,

Mark

0
Comment
Question by:QcHoldings
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 17155941
1. Yes the access-list is correct as you wanted.

You could go for object-groups if you want to reduce those lines;

object-group service Partner-FTP-Service ftp
port-object eq 990
port-object range 11000 11006

access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 object-group Partner-FTP-Service

Would work for you...

Cheers,
Rajesh
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17157154
Since you are NAT'ing and doing passive, you will want to make sure that the ftp client supports issing the EPSV instead of the PASV command.  This alters the format of the PORT command so that is does not include the servers IP address, just the port that the server will be listening on.  If you do this, the PORT command will contain your private IP address and the remote client will attempt to connect to the private address.

0
 

Author Comment

by:QcHoldings
ID: 17157244
Sorry, I should have mentioned that the secure ftp server that we're using allows me to not only specify the range of ports for PASV transfers, but also the NATed public IP address of the ftp server.

It's actually a very cool, easy to use, and inexpensive Windows based ftp server that supports ftps, the Gene6ftp server (http://www.g6ftpserver.com).  It doesn't have all the bells and whistles (nor all of the features) of the GlobalScape Secure or Enhanced ftp servers, but it's pretty nifty, and a lot less expensive.

Thanks!
0
 
LVL 57

Expert Comment

by:giltjr
ID: 17158618
No problem.  I know that some allow this, because of issue with clients not supporting EPSV.  Better that it is mentioned and it not be an issue that it not be mentioned and it is an issue.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question