Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ftp in dmz

Reply
Thread Tools

ftp in dmz

 
 
rhltechie@gmail.com
Guest
Posts: n/a
 
      01-05-2007
Hi All,

I am fairly certain this is something that happens all the time and a
very easy thing to do for most. I have never set up a dmz and am not
the best at pix. I have an asa 5510 and I am trying to setup a ftp
server in the dmz that i can reach from inside and outside(neither
works as of now). I have done the following:

access-list outside_access_in extended permit tcp any host <public ip>
eq ftp

access-list DMZ1_access_in extended permit tcp host 192.168.60.15
192.168.9.0 255.255.255.0 eq ftp

global (outside) 1 interface
nat (outside) 0 access-list outside_nat0_inbound outside
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

static (DMZ1,outside) <public ip> 192.168.60.10 netmask 255.255.255.255
static (DMZ1,outside) <public ip> 192.168.60.15 netmask 255.255.255.255
static (inside,DMZ1) 192.168.9.0 192.168.9.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group DMZ1_access_in in interface DMZ1


The ftp host private ip in the dmz is 192.168.60.15. Private hosts
inside reside on 192.168.9.0.


When I view the live log, I do not see any errors, just the following
when i attempt a connection from the inside:

6|Jan 05 2007 09:53:39|302014: Teardown TCP connection 67046549 for
DMZ1:192.168.60.15/21 to inside:192.168.9.75/1420 duration 0:00:30
bytes 0 SYN Timeout
6|Jan 05 2007 09:53:30|302013: Built outbound TCP connection 67046634
for DMZ1:192.168.60.15/21 (192.168.60.15/21) to
inside:192.168.9.75/1421 (192.168.9.75/1421)
6|Jan 05 2007 09:53:08|302013: Built outbound TCP connection 67046549
for DMZ1:192.168.60.15/21 (192.168.60.15/21) to
inside:192.168.9.75/1420 (192.168.9.75/1420)
6|Jan 05 2007 09:53:08|302014: Teardown TCP connection 67046336 for
DMZ1:192.168.60.15/21 to inside:192.168.9.75/1419 duration 0:00:30
bytes 0 SYN Timeout


I do not have any egress filtering (no acl on my inside int). The asa
has the necessary inspect ftp command.

Can someone please help?


TIA,

R

 
Reply With Quote
 
 
 
 
K.J. 44
Guest
Posts: n/a
 
      01-05-2007


http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
> Hi All,
>
> I am fairly certain this is something that happens all the time and a
> very easy thing to do for most. I have never set up a dmz and am not
> the best at pix. I have an asa 5510 and I am trying to setup a ftp
> server in the dmz that i can reach from inside and outside(neither
> works as of now). I have done the following:
>
> access-list outside_access_in extended permit tcp any host <public ip>
> eq ftp
>
> access-list DMZ1_access_in extended permit tcp host 192.168.60.15
> 192.168.9.0 255.255.255.0 eq ftp
>
> global (outside) 1 interface
> nat (outside) 0 access-list outside_nat0_inbound outside
> nat (inside) 0 access-list inside_nat0_outbound
> nat (inside) 1 0.0.0.0 0.0.0.0
>
> static (DMZ1,outside) <public ip> 192.168.60.10 netmask 255.255.255.255
> static (DMZ1,outside) <public ip> 192.168.60.15 netmask 255.255.255.255
> static (inside,DMZ1) 192.168.9.0 192.168.9.0 netmask 255.255.255.0
> access-group outside_access_in in interface outside
> access-group DMZ1_access_in in interface DMZ1
>
>
> The ftp host private ip in the dmz is 192.168.60.15. Private hosts
> inside reside on 192.168.9.0.
>
>
> When I view the live log, I do not see any errors, just the following
> when i attempt a connection from the inside:
>
> 6|Jan 05 2007 09:53:39|302014: Teardown TCP connection 67046549 for
> DMZ1:192.168.60.15/21 to inside:192.168.9.75/1420 duration 0:00:30
> bytes 0 SYN Timeout
> 6|Jan 05 2007 09:53:30|302013: Built outbound TCP connection 67046634
> for DMZ1:192.168.60.15/21 (192.168.60.15/21) to
> inside:192.168.9.75/1421 (192.168.9.75/1421)
> 6|Jan 05 2007 09:53:08|302013: Built outbound TCP connection 67046549
> for DMZ1:192.168.60.15/21 (192.168.60.15/21) to
> inside:192.168.9.75/1420 (192.168.9.75/1420)
> 6|Jan 05 2007 09:53:08|302014: Teardown TCP connection 67046336 for
> DMZ1:192.168.60.15/21 to inside:192.168.9.75/1419 duration 0:00:30
> bytes 0 SYN Timeout
>
>
> I do not have any egress filtering (no acl on my inside int). The asa
> has the necessary inspect ftp command.
>
> Can someone please help?
>
>
> TIA,
>
> R



Hi,

It seems to me that you are not letting the traffic back out of your
DMZ.

> access-list DMZ1_access_in extended permit tcp host 192.168.60.15
> 192.168.9.0 255.255.255.0 eq ftp


This ACL says allow traffic from your mail server to your network
destined for FTP port. Won't the source port be FTP for the return
traffic and thus should read something like:

access-list DMZ1_access_in extended permit tcp host 192.168.60.15 eq
ftp
192.168.9.0 255.255.255.0

This would be why you are getting timeouts, no return traffic is coming
back.
Hope this helps.

 
Reply With Quote
 
 
 
 
rhltechie@gmail.com
Guest
Posts: n/a
 
      01-05-2007
thank you for your reply.

I thought the same and tried it like this first, with the src port
being ftp, but i get the same response and same messages in the log.


K.J. 44 wrote:
> (E-Mail Removed) wrote:
> > Hi All,
> >
> > I am fairly certain this is something that happens all the time and a
> > very easy thing to do for most. I have never set up a dmz and am not
> > the best at pix. I have an asa 5510 and I am trying to setup a ftp
> > server in the dmz that i can reach from inside and outside(neither
> > works as of now). I have done the following:
> >
> > access-list outside_access_in extended permit tcp any host <public ip>
> > eq ftp
> >
> > access-list DMZ1_access_in extended permit tcp host 192.168.60.15
> > 192.168.9.0 255.255.255.0 eq ftp
> >
> > global (outside) 1 interface
> > nat (outside) 0 access-list outside_nat0_inbound outside
> > nat (inside) 0 access-list inside_nat0_outbound
> > nat (inside) 1 0.0.0.0 0.0.0.0
> >
> > static (DMZ1,outside) <public ip> 192.168.60.10 netmask 255.255.255.255
> > static (DMZ1,outside) <public ip> 192.168.60.15 netmask 255.255.255.255
> > static (inside,DMZ1) 192.168.9.0 192.168.9.0 netmask 255.255.255.0
> > access-group outside_access_in in interface outside
> > access-group DMZ1_access_in in interface DMZ1
> >
> >
> > The ftp host private ip in the dmz is 192.168.60.15. Private hosts
> > inside reside on 192.168.9.0.
> >
> >
> > When I view the live log, I do not see any errors, just the following
> > when i attempt a connection from the inside:
> >
> > 6|Jan 05 2007 09:53:39|302014: Teardown TCP connection 67046549 for
> > DMZ1:192.168.60.15/21 to inside:192.168.9.75/1420 duration 0:00:30
> > bytes 0 SYN Timeout
> > 6|Jan 05 2007 09:53:30|302013: Built outbound TCP connection 67046634
> > for DMZ1:192.168.60.15/21 (192.168.60.15/21) to
> > inside:192.168.9.75/1421 (192.168.9.75/1421)
> > 6|Jan 05 2007 09:53:08|302013: Built outbound TCP connection 67046549
> > for DMZ1:192.168.60.15/21 (192.168.60.15/21) to
> > inside:192.168.9.75/1420 (192.168.9.75/1420)
> > 6|Jan 05 2007 09:53:08|302014: Teardown TCP connection 67046336 for
> > DMZ1:192.168.60.15/21 to inside:192.168.9.75/1419 duration 0:00:30
> > bytes 0 SYN Timeout
> >
> >
> > I do not have any egress filtering (no acl on my inside int). The asa
> > has the necessary inspect ftp command.
> >
> > Can someone please help?
> >
> >
> > TIA,
> >
> > R

>
>
> Hi,
>
> It seems to me that you are not letting the traffic back out of your
> DMZ.
>
> > access-list DMZ1_access_in extended permit tcp host 192.168.60.15
> > 192.168.9.0 255.255.255.0 eq ftp

>
> This ACL says allow traffic from your mail server to your network
> destined for FTP port. Won't the source port be FTP for the return
> traffic and thus should read something like:
>
> access-list DMZ1_access_in extended permit tcp host 192.168.60.15 eq
> ftp
> 192.168.9.0 255.255.255.0
>
> This would be why you are getting timeouts, no return traffic is coming
> back.
> Hope this helps.


 
Reply With Quote
 
Darren Green
Guest
Posts: n/a
 
      01-05-2007

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> Hi All,
>
> I am fairly certain this is something that happens all the time and a
> very easy thing to do for most. I have never set up a dmz and am not
> the best at pix. I have an asa 5510 and I am trying to setup a ftp
> server in the dmz that i can reach from inside and outside(neither
> works as of now). I have done the following:
>
> access-list outside_access_in extended permit tcp any host <public ip>
> eq ftp
>
> access-list DMZ1_access_in extended permit tcp host 192.168.60.15
> 192.168.9.0 255.255.255.0 eq ftp
>
> global (outside) 1 interface
> nat (outside) 0 access-list outside_nat0_inbound outside
> nat (inside) 0 access-list inside_nat0_outbound
> nat (inside) 1 0.0.0.0 0.0.0.0
>
> static (DMZ1,outside) <public ip> 192.168.60.10 netmask 255.255.255.255
> static (DMZ1,outside) <public ip> 192.168.60.15 netmask 255.255.255.255
> static (inside,DMZ1) 192.168.9.0 192.168.9.0 netmask 255.255.255.0
> access-group outside_access_in in interface outside
> access-group DMZ1_access_in in interface DMZ1
>
>
> The ftp host private ip in the dmz is 192.168.60.15. Private hosts
> inside reside on 192.168.9.0.
>

snip

It is difficult to see if any other part of your config may be affecting
what you are trying to achieve here.

Just out of curiosity - if you have an ASA then you have access to the ASDM
software tool. On the GUI you have the option to simulate traffic passing
between interfaces based on a number of criteria that you can set - it's
very straightforward.

As you run the packet flow simulation the ASA will tell you if the packet
will be accepted or rejected on the various criteria - NAT, Access-List etc
that you have defined in your config. At the point it fails you can click to
find out where it failed making troubleshooting much easier.

HTH.

Regards

Darren


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      01-06-2007
In article <(E-Mail Removed). com>,
<(E-Mail Removed)> wrote:

>I am fairly certain this is something that happens all the time and a
>very easy thing to do for most. I have never set up a dmz and am not
>the best at pix. I have an asa 5510 and I am trying to setup a ftp
>server in the dmz that i can reach from inside and outside(neither
>works as of now). I have done the following:


>access-list outside_access_in extended permit tcp any host <public ip> eq ftp


>access-list DMZ1_access_in extended permit tcp host 192.168.60.15 192.168.9.0 255.255.255.0 eq ftp


>global (outside) 1 interface
>nat (outside) 0 access-list outside_nat0_inbound outside
>nat (inside) 0 access-list inside_nat0_outbound
>nat (inside) 1 0.0.0.0 0.0.0.0


>static (DMZ1,outside) <public ip> 192.168.60.10 netmask 255.255.255.255
>static (DMZ1,outside) <public ip> 192.168.60.15 netmask 255.255.255.255


You cannot static the same public IP to two different internal addresses,
not unless you add in [different] port restrictions.

Also, if <public ip> is the same as the outside interface of your ASA
(or PIX), then you must use port restrictions.

For the ASA, that would look like,

static (DMZ1,outside) tcp <public ip> ftp 192.168.60.15 ftp netmask 255.255.255.255

For PIX 6.3, it would look like,

static (DMZ1,outside) tcp interface ftp 192.168.60.15 ftp netmask 255.255.255.255

>static (inside,DMZ1) 192.168.9.0 192.168.9.0 netmask 255.255.255.0


You only need to static (inside,DMZ1) if you need DMZ1 to be able
to initiate connections to inside (but then why bother with a DMZ?),
or if it is important on the DMZ device to be able to figure out
exactly which inside device is connecting (e.g., for logs or
differential access purposes.)

>access-group outside_access_in in interface outside
>access-group DMZ1_access_in in interface DMZ1


An access-group applied "in" interface DMZ1 controls the locations
that DMZ1 is able to initiate connections to. Unless you need your ftp
server to be able to initiate ftp sessions to inside, get rid of that.


>When I view the live log, I do not see any errors, just the following
>when i attempt a connection from the inside:


>6|Jan 05 2007 09:53:39|302014: Teardown TCP connection 67046549 for
>DMZ1:192.168.60.15/21 to inside:192.168.9.75/1420 duration 0:00:30
>bytes 0 SYN Timeout
>6|Jan 05 2007 09:53:30|302013: Built outbound TCP connection 67046634
>for DMZ1:192.168.60.15/21 (192.168.60.15/21) to
>inside:192.168.9.75/1421 (192.168.9.75/1421)
>6|Jan 05 2007 09:53:08|302013: Built outbound TCP connection 67046549
>for DMZ1:192.168.60.15/21 (192.168.60.15/21) to
>inside:192.168.9.75/1420 (192.168.9.75/1420)
>6|Jan 05 2007 09:53:08|302014: Teardown TCP connection 67046336 for
>DMZ1:192.168.60.15/21 to inside:192.168.9.75/1419 duration 0:00:30
>bytes 0 SYN Timeout


Either there is something -very- wrong with your systems or else your
log outputs events in reverse chronological order.

 
Reply With Quote
 
rhltechie@gmail.com
Guest
Posts: n/a
 
      01-08-2007
Hi Darren,

I have never seen this or used it in the asdm, can you tell me how to
get to it? i have looked through the asdm and see nothing of the sort.

Thanks


Darren Green wrote:
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ups.com...
> > Hi All,
> >
> > I am fairly certain this is something that happens all the time and a
> > very easy thing to do for most. I have never set up a dmz and am not
> > the best at pix. I have an asa 5510 and I am trying to setup a ftp
> > server in the dmz that i can reach from inside and outside(neither
> > works as of now). I have done the following:
> >
> > access-list outside_access_in extended permit tcp any host <public ip>
> > eq ftp
> >
> > access-list DMZ1_access_in extended permit tcp host 192.168.60.15
> > 192.168.9.0 255.255.255.0 eq ftp
> >
> > global (outside) 1 interface
> > nat (outside) 0 access-list outside_nat0_inbound outside
> > nat (inside) 0 access-list inside_nat0_outbound
> > nat (inside) 1 0.0.0.0 0.0.0.0
> >
> > static (DMZ1,outside) <public ip> 192.168.60.10 netmask 255.255.255.255
> > static (DMZ1,outside) <public ip> 192.168.60.15 netmask 255.255.255.255
> > static (inside,DMZ1) 192.168.9.0 192.168.9.0 netmask 255.255.255.0
> > access-group outside_access_in in interface outside
> > access-group DMZ1_access_in in interface DMZ1
> >
> >
> > The ftp host private ip in the dmz is 192.168.60.15. Private hosts
> > inside reside on 192.168.9.0.
> >

> snip
>
> It is difficult to see if any other part of your config may be affecting
> what you are trying to achieve here.
>
> Just out of curiosity - if you have an ASA then you have access to the ASDM
> software tool. On the GUI you have the option to simulate traffic passing
> between interfaces based on a number of criteria that you can set - it's
> very straightforward.
>
> As you run the packet flow simulation the ASA will tell you if the packet
> will be accepted or rejected on the various criteria - NAT, Access-List etc
> that you have defined in your config. At the point it fails you can click to
> find out where it failed making troubleshooting much easier.
>
> HTH.
>
> Regards
>
> Darren


 
Reply With Quote
 
rhltechie@gmail.com
Guest
Posts: n/a
 
      01-08-2007
thanks for all the help guys...i figured out my issue. something
lame...the friggin xp firewall was on preventing me from using ftp..or
anything else for that matter.


Walter Roberson wrote:
> In article <(E-Mail Removed). com>,
> <(E-Mail Removed)> wrote:
>
> >I am fairly certain this is something that happens all the time and a
> >very easy thing to do for most. I have never set up a dmz and am not
> >the best at pix. I have an asa 5510 and I am trying to setup a ftp
> >server in the dmz that i can reach from inside and outside(neither
> >works as of now). I have done the following:

>
> >access-list outside_access_in extended permit tcp any host <public ip> eq ftp

>
> >access-list DMZ1_access_in extended permit tcp host 192.168.60.15 192.168.9.0 255.255.255.0 eq ftp

>
> >global (outside) 1 interface
> >nat (outside) 0 access-list outside_nat0_inbound outside
> >nat (inside) 0 access-list inside_nat0_outbound
> >nat (inside) 1 0.0.0.0 0.0.0.0

>
> >static (DMZ1,outside) <public ip> 192.168.60.10 netmask 255.255.255.255
> >static (DMZ1,outside) <public ip> 192.168.60.15 netmask 255.255.255.255

>
> You cannot static the same public IP to two different internal addresses,
> not unless you add in [different] port restrictions.
>
> Also, if <public ip> is the same as the outside interface of your ASA
> (or PIX), then you must use port restrictions.
>
> For the ASA, that would look like,
>
> static (DMZ1,outside) tcp <public ip> ftp 192.168.60.15 ftp netmask 255.255.255.255
>
> For PIX 6.3, it would look like,
>
> static (DMZ1,outside) tcp interface ftp 192.168.60.15 ftp netmask 255.255.255.255
>
> >static (inside,DMZ1) 192.168.9.0 192.168.9.0 netmask 255.255.255.0

>
> You only need to static (inside,DMZ1) if you need DMZ1 to be able
> to initiate connections to inside (but then why bother with a DMZ?),
> or if it is important on the DMZ device to be able to figure out
> exactly which inside device is connecting (e.g., for logs or
> differential access purposes.)
>
> >access-group outside_access_in in interface outside
> >access-group DMZ1_access_in in interface DMZ1

>
> An access-group applied "in" interface DMZ1 controls the locations
> that DMZ1 is able to initiate connections to. Unless you need your ftp
> server to be able to initiate ftp sessions to inside, get rid of that.
>
>
> >When I view the live log, I do not see any errors, just the following
> >when i attempt a connection from the inside:

>
> >6|Jan 05 2007 09:53:39|302014: Teardown TCP connection 67046549 for
> >DMZ1:192.168.60.15/21 to inside:192.168.9.75/1420 duration 0:00:30
> >bytes 0 SYN Timeout
> >6|Jan 05 2007 09:53:30|302013: Built outbound TCP connection 67046634
> >for DMZ1:192.168.60.15/21 (192.168.60.15/21) to
> >inside:192.168.9.75/1421 (192.168.9.75/1421)
> >6|Jan 05 2007 09:53:08|302013: Built outbound TCP connection 67046549
> >for DMZ1:192.168.60.15/21 (192.168.60.15/21) to
> >inside:192.168.9.75/1420 (192.168.9.75/1420)
> >6|Jan 05 2007 09:53:08|302014: Teardown TCP connection 67046336 for
> >DMZ1:192.168.60.15/21 to inside:192.168.9.75/1419 duration 0:00:30
> >bytes 0 SYN Timeout

>
> Either there is something -very- wrong with your systems or else your
> log outputs events in reverse chronological order.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
help with pix inside->outside + dmz->outside + inside->outside->dmz Jack Cisco 0 09-19-2007 01:57 AM
Allow smtp traffic from DMZ to Inside, without DMZ loosing Internet connection? morten Cisco 4 09-04-2007 01:48 PM
Cisco PIX DMZ to DMZ Access Network-Guy Cisco 7 09-25-2005 08:28 PM
how to config 515-e-dmz dmz routes & ACL? JohnC Cisco 9 12-07-2004 09:14 AM
Net::FTP problems getting files from Windows FTP server, but not Linux FTP Server. D. Buck Perl Misc 2 06-29-2004 02:05 PM



Advertisments