Solved

What's the best way to open pinholes in a PIX 515E?

Posted on 2006-07-21
4
387 Views
Last Modified: 2013-11-29
We've got a partner who needs to be able to ftp into our network and upload files, but we need to keep this as secure as possible.  We've got an ftp server that works with both implicit and explicit ftps (ftp over ssl), and is able to provide the client with the appropriate data ports.  For security reasons, we're redefining the ports we will use (with the exception of port 990, which is required for implicit ftps).  Basicly, we want to open pinholes that only allow ports 990, 11000 for explicit ftps using SSL or TLS, then 11001 through 11006.  However, they can only come from the partner's IP address.  We've already got an access list (100) applied for inbound traffic from the outside interface.

So, the question is, what's the best way to configure the PIX for this?  One way is by just setting up individual commands.  However, isn't there a way to use some sort of a range command, rather than using individual lines for the ports, which would bring this down to just 2 lines?

access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 990
access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 11000
access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 11001
access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 11002
access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 11003
access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 11004
access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 11005
access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 eq 11006

static (inside,outside) 1.2.3.4 10.1.1.56 netmask 255.255.255.255

Am I correct in the belief that this will only allow access from 4.3.2.1 to our internal ftp server on the listed ports?

The partner's address is 4.3.2.1, the external interface on our pix redirects from 1.2.3.4 to 10.1.1.56, which is our ftp server.

While this isn't too bad, it's going to be a real pain later on when the time comes to add partner IP addresses to be able to use this service.  Would setting up object groups, one for the network address of the partners, one for the services make it easier to manage?  I haven't really worked with object groups on a PIX before:  What might the commands look like.

The order of preference in results is 1) Security, where we strictly limit outside access, and 2) Ease of management.

Thanks in advance,

Mark

0
Comment
Question by:QcHoldings
  • 2
4 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 125 total points
Comment Utility
1. Yes the access-list is correct as you wanted.

You could go for object-groups if you want to reduce those lines;

object-group service Partner-FTP-Service ftp
port-object eq 990
port-object range 11000 11006

access-list 100 extended permit tcp host 4.3.2.1 host 1.2.3.4 object-group Partner-FTP-Service

Would work for you...

Cheers,
Rajesh
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Since you are NAT'ing and doing passive, you will want to make sure that the ftp client supports issing the EPSV instead of the PASV command.  This alters the format of the PORT command so that is does not include the servers IP address, just the port that the server will be listening on.  If you do this, the PORT command will contain your private IP address and the remote client will attempt to connect to the private address.

0
 

Author Comment

by:QcHoldings
Comment Utility
Sorry, I should have mentioned that the secure ftp server that we're using allows me to not only specify the range of ports for PASV transfers, but also the NATed public IP address of the ftp server.

It's actually a very cool, easy to use, and inexpensive Windows based ftp server that supports ftps, the Gene6ftp server (http://www.g6ftpserver.com).  It doesn't have all the bells and whistles (nor all of the features) of the GlobalScape Secure or Enhanced ftp servers, but it's pretty nifty, and a lot less expensive.

Thanks!
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
No problem.  I know that some allow this, because of issue with clients not supporting EPSV.  Better that it is mentioned and it not be an issue that it not be mentioned and it is an issue.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now