Solved

ASA5505 opening FTP on DMZ

Posted on 2008-10-03
12
555 Views
Last Modified: 2010-04-21
IP's have been changed to protect the innocent!
I am having trouble accessing my FTP server in the DMZ.  Does anything glaring show on the below config?

: Saved
: Written by enable_15 at 10:29:12.880 EDT Fri Oct 3 2008
!
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password I4c0AVstdlzGCow/ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 172.1.1.5 COMP-FTP description ftp server
name y.y.y.6 COMPSRV2 description mail server
name 206.17.2.0 Sec_1 description spam service
name 206.16.209.64 Sec_2 description spam service
name 136.82.109.210 Bad_Toolbar_Guy
name 205.107.222.56 SQL
name y.y.y.0 Internal_All
name x.x.x.100 COMPSRV2_OUT
name x.x.x.105 COMP-FTP_OUT
!
interface Vlan1
 nameif inside
 security-level 100
 ip address y.y.y.250 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.98 255.255.255.224
 ospf cost 10
!
interface Vlan3
 no forward interface Vlan1
 nameif DMZ
 security-level 50
 ip address 172.1.1.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
 switchport access vlan 3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server y.y.y.5
 name-server y.y.y.8
 name-server 209.194.200.1
 name-server 209.194.200.129
 domain-name default.domain.invalid
object-group network Secu
 description Spam Filter addresses from Secu
 network-object Sec_2 255.255.255.192
 network-object Sec_1 255.255.255.0
object-group service SMTPAUTH tcp
  port-object eq 587
object-group service BAD_PORTS tcp
 description Block online file sharing and streaming
 port-object eq 1025
 port-object eq 1027
 port-object eq 1034
 port-object eq 1334
 port-object range 1433 1434
 port-object eq 2234
 port-object range 2336 2337
 port-object eq 2350
 port-object eq 2745
 port-object eq 3043
 port-object range 3127 3128
 port-object eq 31337
 port-object eq 3140
 port-object eq 3306
 port-object range 4000 4010
 port-object eq 41436
 port-object eq 4500
 port-object eq 5554
 port-object eq 6129
 port-object range 6346 6350
 port-object eq 6699
 port-object eq 6777
 port-object eq 8866
 port-object eq 8967
 port-object eq 9996
 port-object eq ident
object-group service BAD_PORTS_UDP udp
 description Block file sharing and streaming
 port-object range 1433 1434
 port-object eq 2234
object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp
 port-object eq ftp-data
access-list DMZ_access_in extended permit tcp any host COMP-FTP_OUT object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp Sec_1 255.255.255.0 host COMPSRV2 eq smtp inactive
access-list outside_access_in remark Block internet file sharing and streaming
access-list outside_access_in extended deny tcp any any object-group BAD_PORTS
access-list outside_access_in remark Block internet file sharing and streaming
access-list outside_access_in extended deny udp any any object-group BAD_PORTS_UDP
access-list outside_access_in remark Allow Securance Spam filter mail traffic to Exchange server (COMPSRV2)
access-list outside_access_in extended permit tcp object-group Securance host COMPSRV2_OUT eq smtp
access-list outside_access_in remark Allow SMTP authorization
access-list outside_access_in extended permit tcp any host COMPSRV2_OUT eq 587
access-list outside_access_in remark Secure Web interface for OWA (Exchange)
access-list outside_access_in extended permit tcp any host COMPSRV2_OUT eq https
access-list outside_access_in extended permit tcp any host COMPSRV2_OUT eq imap4
access-list inside_access_in remark Harrison Price updates
access-list inside_access_in extended permit ip any host Harrison_SQL inactive
access-list inside_access_in remark Block internet file sharing and streaming
access-list inside_access_in extended deny tcp any any object-group BAD_PORTS inactive
access-list inside_access_in remark Block internet file sharing and streaming
access-list inside_access_in extended deny udp any any object-group BAD_PORTS_UDP inactive
access-list inside_access_in extended deny ip any host Bad_Toolbar_Guy
access-list inside_access_in extended permit ip host COMPSRV2 any
access-list inside_access_in extended permit ip Internal_All 255.255.255.0 any
access-list COMPvpn_splitTunnelAcl standard permit Internal_All 255.255.255.0
access-list inside_nat0_outbound extended permit ip Internal_All 255.255.255.0 y.y.y.128 255.255.255.128
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool VPNpool y.y.y.185-y.y.y.199 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm location COMPSRV2 255.255.255.255 inside
asdm location COMP-FTP 255.255.255.255 inside
asdm location Sec_2 255.255.255.192 inside
asdm location Sec_1 255.255.255.0 inside
asdm location Internal_All 255.255.255.0 inside
asdm location Bad_Toolbar_Guy 255.255.255.255 inside
asdm location SQL 255.255.255.255 inside
no asdm history enable
arp timeout 14400
global (outside) 1 x.x.x.120-x.x.x.126 netmask 255.255.255.224
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) COMP-FTP_OUT COMP-FTP netmask 255.255.255.255
static (inside,outside) COMPSRV2_OUT COMPSRV2 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 x.x.x.97 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http Internal_All 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh ********* 255.255.255.255 outside
ssh timeout 5
console timeout 0

group-policy COMPvpn internal
group-policy COMPvpn attributes
 wins-server value y.y.y.5 y.y.y.8
 dns-server value y.y.y.5 y.y.y.8
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value COMPvpn_splitTunnelAcl
 default-domain value company.COM
username ******* password 3USUcOPFUiMCO4Jk encrypted privilege 15
username ******** password dw0qiTJW/eKeyF6Z encrypted privilege 0
username ********* attributes
 vpn-group-policy COMPvpn
tunnel-group COMPvpn type ipsec-ra
tunnel-group COMPvpn general-attributes
 address-pool VPNpool
 default-group-policy COMPvpn
tunnel-group COMPvpn ipsec-attributes
 pre-shared-key ***********
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:80d82beeb1e8eab031a1ddb83ef09df6
: end
0
Comment
Question by:jrri
  • 5
  • 4
  • 3
12 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 22635897
no access-group DMZ_access_in in interface DMZ

0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22636651
That sounds right! :)
0
 
LVL 1

Author Comment

by:jrri
ID: 22636676
I typed that in the config and no change.  Is that going to enable for the inside INT or people on the outside or both
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22636741
That's just going to remove the restrictions that you have on the acl.
From the DMZ interface perspective, any traffic coming from the server as the source. Your acl has "any" as the source and the server as the destination, which is backwards.
By completely removing the acl from the interface, now you are allowing all outbound traffic from the server, including ftp responses, www from its own console, etc.
The primary mission is to 1st get you working, then work on a resctrictive acl if you want it.
If you want inside users to access the server, add another global
global (DMZ) 1 interface
This will let the inside users get to the ftp site
For outside users, you have to add this:
access-list outside_access_in extended permit tcp any host COMP-FTP_OUT object-group DM_INLINE_TCP_1
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22636887
That will almost work to give inside users access to the DMZ server.
You need to setup something called Destination NAT.
It basically consists of 2 things:
Giving your server 2 IP addresses - one for access and 1 for management.
Then, create a static NAT translation  to map the access IP to the outside IP you are using for it. This will let your users access it by URL or DNS name with no complications.
static (DMZ,inside) <outside ip address to use> COMP-FTP_OUT netmask 255.255.255.255
Just replace the <outside ip address to use> with the outside ip address you want to use!
Jote that you will no longer be able to ping that FTP server with its access address. Instead, use the management address to communicate with it.
Here is a Cisco document explaining it:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml#solution2
Cheers!
 
0
 
LVL 1

Author Comment

by:jrri
ID: 22651484
Sorry for the delay, I now have access to the FTP server in the DMZ from both interfaces.  Now how would I sure up the DMZ to only allow the FTP traffic?  I previously had a Fortigate 60 firewall and it was much simpler to get this working, in fact it was a no brainer.  I hoping the cisco is more complex for a reason such as more secure.

Mike
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 200 total points
ID: 22653003
Allow incoming or outgoing? From the inside or outside (internet)?
Just create an access-list to the DMZ that only allows FTP.
access-list DMZ_access_in permit tcp any host COMP-FTP_OUT eq ftp

to only allow incoming connections from the inside (or outside also if it's already allowed)

access-group out interface DMZ
or to allow incoming from internet
access-group in interface outside
Just make sure if you have a current access-list for those interfaces that you add the rules into them instead of creating a new one.
BTW The Cisco is much better. :)
Cheers!
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 22654877
Here's what I suggest. This will allow the one ftp server to respond to any ftp requests, go to any web site, get Windows updates (if it is a Windows server), and resolve DNS names.

access-list DMZ_access_in permit tcp host COMP-FTP eq ftp any
access-list DMZ_access_in permit tcp host COMP-FTP eq ftp-data any
access-list DMZ_access_in permit tcp host COMP-FTP any eq https <== get updates
access-list DMZ_access_in permit tcp host COMP-FTP any eq http
access-list DMZ_access_in permit udp host COMP-FTP any eq domain <== DNS works
access-group DMZ_access_in in interface DMZ

I have yet to find a reason to apply an acl "out" on a ASA/PIX . ...
0
 
LVL 1

Author Closing Comment

by:jrri
ID: 31502837
Thanks immensely for your help and patience.

Mike
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22660703
As far as creating an ACL out - it's for if you have multiple higher security-level on another interfaces and you don't want to put "in" ACLs on all of those to a lowe security-level interface... all traffic by default would be allowed, but just inserting one "out" ACL on that low level interface prevents any specified traffic from entering.
Cheers!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22660782
Understand the concept fully, just have not found a use for it yet. PIX never supported "out" acls until 7.x so it is relatively new on the firewall.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22660875
Indeed it is. :-)
I've used it several times when reducing the complexity of ACLs on an ASA with VLANs on it... no need to update ACLs for multiple VLANs when you use the out direction just once.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now