ftp in dmz

Discussion in 'Cisco' started by rhltechie@gmail.com, Jan 5, 2007.

  1. Guest

    Hi All,

    I am fairly certain this is something that happens all the time and a
    very easy thing to do for most. I have never set up a dmz and am not
    the best at pix. I have an asa 5510 and I am trying to setup a ftp
    server in the dmz that i can reach from inside and outside(neither
    works as of now). I have done the following:

    access-list outside_access_in extended permit tcp any host <public ip>
    eq ftp

    access-list DMZ1_access_in extended permit tcp host 192.168.60.15
    192.168.9.0 255.255.255.0 eq ftp

    global (outside) 1 interface
    nat (outside) 0 access-list outside_nat0_inbound outside
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0

    static (DMZ1,outside) <public ip> 192.168.60.10 netmask 255.255.255.255
    static (DMZ1,outside) <public ip> 192.168.60.15 netmask 255.255.255.255
    static (inside,DMZ1) 192.168.9.0 192.168.9.0 netmask 255.255.255.0
    access-group outside_access_in in interface outside
    access-group DMZ1_access_in in interface DMZ1


    The ftp host private ip in the dmz is 192.168.60.15. Private hosts
    inside reside on 192.168.9.0.


    When I view the live log, I do not see any errors, just the following
    when i attempt a connection from the inside:

    6|Jan 05 2007 09:53:39|302014: Teardown TCP connection 67046549 for
    DMZ1:192.168.60.15/21 to inside:192.168.9.75/1420 duration 0:00:30
    bytes 0 SYN Timeout
    6|Jan 05 2007 09:53:30|302013: Built outbound TCP connection 67046634
    for DMZ1:192.168.60.15/21 (192.168.60.15/21) to
    inside:192.168.9.75/1421 (192.168.9.75/1421)
    6|Jan 05 2007 09:53:08|302013: Built outbound TCP connection 67046549
    for DMZ1:192.168.60.15/21 (192.168.60.15/21) to
    inside:192.168.9.75/1420 (192.168.9.75/1420)
    6|Jan 05 2007 09:53:08|302014: Teardown TCP connection 67046336 for
    DMZ1:192.168.60.15/21 to inside:192.168.9.75/1419 duration 0:00:30
    bytes 0 SYN Timeout


    I do not have any egress filtering (no acl on my inside int). The asa
    has the necessary inspect ftp command.

    Can someone please help?


    TIA,

    R
    , Jan 5, 2007
    #1
    1. Advertising

  2. K.J. 44 Guest

    wrote:
    > Hi All,
    >
    > I am fairly certain this is something that happens all the time and a
    > very easy thing to do for most. I have never set up a dmz and am not
    > the best at pix. I have an asa 5510 and I am trying to setup a ftp
    > server in the dmz that i can reach from inside and outside(neither
    > works as of now). I have done the following:
    >
    > access-list outside_access_in extended permit tcp any host <public ip>
    > eq ftp
    >
    > access-list DMZ1_access_in extended permit tcp host 192.168.60.15
    > 192.168.9.0 255.255.255.0 eq ftp
    >
    > global (outside) 1 interface
    > nat (outside) 0 access-list outside_nat0_inbound outside
    > nat (inside) 0 access-list inside_nat0_outbound
    > nat (inside) 1 0.0.0.0 0.0.0.0
    >
    > static (DMZ1,outside) <public ip> 192.168.60.10 netmask 255.255.255.255
    > static (DMZ1,outside) <public ip> 192.168.60.15 netmask 255.255.255.255
    > static (inside,DMZ1) 192.168.9.0 192.168.9.0 netmask 255.255.255.0
    > access-group outside_access_in in interface outside
    > access-group DMZ1_access_in in interface DMZ1
    >
    >
    > The ftp host private ip in the dmz is 192.168.60.15. Private hosts
    > inside reside on 192.168.9.0.
    >
    >
    > When I view the live log, I do not see any errors, just the following
    > when i attempt a connection from the inside:
    >
    > 6|Jan 05 2007 09:53:39|302014: Teardown TCP connection 67046549 for
    > DMZ1:192.168.60.15/21 to inside:192.168.9.75/1420 duration 0:00:30
    > bytes 0 SYN Timeout
    > 6|Jan 05 2007 09:53:30|302013: Built outbound TCP connection 67046634
    > for DMZ1:192.168.60.15/21 (192.168.60.15/21) to
    > inside:192.168.9.75/1421 (192.168.9.75/1421)
    > 6|Jan 05 2007 09:53:08|302013: Built outbound TCP connection 67046549
    > for DMZ1:192.168.60.15/21 (192.168.60.15/21) to
    > inside:192.168.9.75/1420 (192.168.9.75/1420)
    > 6|Jan 05 2007 09:53:08|302014: Teardown TCP connection 67046336 for
    > DMZ1:192.168.60.15/21 to inside:192.168.9.75/1419 duration 0:00:30
    > bytes 0 SYN Timeout
    >
    >
    > I do not have any egress filtering (no acl on my inside int). The asa
    > has the necessary inspect ftp command.
    >
    > Can someone please help?
    >
    >
    > TIA,
    >
    > R



    Hi,

    It seems to me that you are not letting the traffic back out of your
    DMZ.

    > access-list DMZ1_access_in extended permit tcp host 192.168.60.15
    > 192.168.9.0 255.255.255.0 eq ftp


    This ACL says allow traffic from your mail server to your network
    destined for FTP port. Won't the source port be FTP for the return
    traffic and thus should read something like:

    access-list DMZ1_access_in extended permit tcp host 192.168.60.15 eq
    ftp
    192.168.9.0 255.255.255.0

    This would be why you are getting timeouts, no return traffic is coming
    back.
    Hope this helps.
    K.J. 44, Jan 5, 2007
    #2
    1. Advertising

  3. Guest

    thank you for your reply.

    I thought the same and tried it like this first, with the src port
    being ftp, but i get the same response and same messages in the log.


    K.J. 44 wrote:
    > wrote:
    > > Hi All,
    > >
    > > I am fairly certain this is something that happens all the time and a
    > > very easy thing to do for most. I have never set up a dmz and am not
    > > the best at pix. I have an asa 5510 and I am trying to setup a ftp
    > > server in the dmz that i can reach from inside and outside(neither
    > > works as of now). I have done the following:
    > >
    > > access-list outside_access_in extended permit tcp any host <public ip>
    > > eq ftp
    > >
    > > access-list DMZ1_access_in extended permit tcp host 192.168.60.15
    > > 192.168.9.0 255.255.255.0 eq ftp
    > >
    > > global (outside) 1 interface
    > > nat (outside) 0 access-list outside_nat0_inbound outside
    > > nat (inside) 0 access-list inside_nat0_outbound
    > > nat (inside) 1 0.0.0.0 0.0.0.0
    > >
    > > static (DMZ1,outside) <public ip> 192.168.60.10 netmask 255.255.255.255
    > > static (DMZ1,outside) <public ip> 192.168.60.15 netmask 255.255.255.255
    > > static (inside,DMZ1) 192.168.9.0 192.168.9.0 netmask 255.255.255.0
    > > access-group outside_access_in in interface outside
    > > access-group DMZ1_access_in in interface DMZ1
    > >
    > >
    > > The ftp host private ip in the dmz is 192.168.60.15. Private hosts
    > > inside reside on 192.168.9.0.
    > >
    > >
    > > When I view the live log, I do not see any errors, just the following
    > > when i attempt a connection from the inside:
    > >
    > > 6|Jan 05 2007 09:53:39|302014: Teardown TCP connection 67046549 for
    > > DMZ1:192.168.60.15/21 to inside:192.168.9.75/1420 duration 0:00:30
    > > bytes 0 SYN Timeout
    > > 6|Jan 05 2007 09:53:30|302013: Built outbound TCP connection 67046634
    > > for DMZ1:192.168.60.15/21 (192.168.60.15/21) to
    > > inside:192.168.9.75/1421 (192.168.9.75/1421)
    > > 6|Jan 05 2007 09:53:08|302013: Built outbound TCP connection 67046549
    > > for DMZ1:192.168.60.15/21 (192.168.60.15/21) to
    > > inside:192.168.9.75/1420 (192.168.9.75/1420)
    > > 6|Jan 05 2007 09:53:08|302014: Teardown TCP connection 67046336 for
    > > DMZ1:192.168.60.15/21 to inside:192.168.9.75/1419 duration 0:00:30
    > > bytes 0 SYN Timeout
    > >
    > >
    > > I do not have any egress filtering (no acl on my inside int). The asa
    > > has the necessary inspect ftp command.
    > >
    > > Can someone please help?
    > >
    > >
    > > TIA,
    > >
    > > R

    >
    >
    > Hi,
    >
    > It seems to me that you are not letting the traffic back out of your
    > DMZ.
    >
    > > access-list DMZ1_access_in extended permit tcp host 192.168.60.15
    > > 192.168.9.0 255.255.255.0 eq ftp

    >
    > This ACL says allow traffic from your mail server to your network
    > destined for FTP port. Won't the source port be FTP for the return
    > traffic and thus should read something like:
    >
    > access-list DMZ1_access_in extended permit tcp host 192.168.60.15 eq
    > ftp
    > 192.168.9.0 255.255.255.0
    >
    > This would be why you are getting timeouts, no return traffic is coming
    > back.
    > Hope this helps.
    , Jan 5, 2007
    #3
  4. Darren Green Guest

    <> wrote in message
    news:...
    > Hi All,
    >
    > I am fairly certain this is something that happens all the time and a
    > very easy thing to do for most. I have never set up a dmz and am not
    > the best at pix. I have an asa 5510 and I am trying to setup a ftp
    > server in the dmz that i can reach from inside and outside(neither
    > works as of now). I have done the following:
    >
    > access-list outside_access_in extended permit tcp any host <public ip>
    > eq ftp
    >
    > access-list DMZ1_access_in extended permit tcp host 192.168.60.15
    > 192.168.9.0 255.255.255.0 eq ftp
    >
    > global (outside) 1 interface
    > nat (outside) 0 access-list outside_nat0_inbound outside
    > nat (inside) 0 access-list inside_nat0_outbound
    > nat (inside) 1 0.0.0.0 0.0.0.0
    >
    > static (DMZ1,outside) <public ip> 192.168.60.10 netmask 255.255.255.255
    > static (DMZ1,outside) <public ip> 192.168.60.15 netmask 255.255.255.255
    > static (inside,DMZ1) 192.168.9.0 192.168.9.0 netmask 255.255.255.0
    > access-group outside_access_in in interface outside
    > access-group DMZ1_access_in in interface DMZ1
    >
    >
    > The ftp host private ip in the dmz is 192.168.60.15. Private hosts
    > inside reside on 192.168.9.0.
    >

    snip

    It is difficult to see if any other part of your config may be affecting
    what you are trying to achieve here.

    Just out of curiosity - if you have an ASA then you have access to the ASDM
    software tool. On the GUI you have the option to simulate traffic passing
    between interfaces based on a number of criteria that you can set - it's
    very straightforward.

    As you run the packet flow simulation the ASA will tell you if the packet
    will be accepted or rejected on the various criteria - NAT, Access-List etc
    that you have defined in your config. At the point it fails you can click to
    find out where it failed making troubleshooting much easier.

    HTH.

    Regards

    Darren
    Darren Green, Jan 5, 2007
    #4
  5. In article <>,
    <> wrote:

    >I am fairly certain this is something that happens all the time and a
    >very easy thing to do for most. I have never set up a dmz and am not
    >the best at pix. I have an asa 5510 and I am trying to setup a ftp
    >server in the dmz that i can reach from inside and outside(neither
    >works as of now). I have done the following:


    >access-list outside_access_in extended permit tcp any host <public ip> eq ftp


    >access-list DMZ1_access_in extended permit tcp host 192.168.60.15 192.168.9.0 255.255.255.0 eq ftp


    >global (outside) 1 interface
    >nat (outside) 0 access-list outside_nat0_inbound outside
    >nat (inside) 0 access-list inside_nat0_outbound
    >nat (inside) 1 0.0.0.0 0.0.0.0


    >static (DMZ1,outside) <public ip> 192.168.60.10 netmask 255.255.255.255
    >static (DMZ1,outside) <public ip> 192.168.60.15 netmask 255.255.255.255


    You cannot static the same public IP to two different internal addresses,
    not unless you add in [different] port restrictions.

    Also, if <public ip> is the same as the outside interface of your ASA
    (or PIX), then you must use port restrictions.

    For the ASA, that would look like,

    static (DMZ1,outside) tcp <public ip> ftp 192.168.60.15 ftp netmask 255.255.255.255

    For PIX 6.3, it would look like,

    static (DMZ1,outside) tcp interface ftp 192.168.60.15 ftp netmask 255.255.255.255

    >static (inside,DMZ1) 192.168.9.0 192.168.9.0 netmask 255.255.255.0


    You only need to static (inside,DMZ1) if you need DMZ1 to be able
    to initiate connections to inside (but then why bother with a DMZ?),
    or if it is important on the DMZ device to be able to figure out
    exactly which inside device is connecting (e.g., for logs or
    differential access purposes.)

    >access-group outside_access_in in interface outside
    >access-group DMZ1_access_in in interface DMZ1


    An access-group applied "in" interface DMZ1 controls the locations
    that DMZ1 is able to initiate connections to. Unless you need your ftp
    server to be able to initiate ftp sessions to inside, get rid of that.


    >When I view the live log, I do not see any errors, just the following
    >when i attempt a connection from the inside:


    >6|Jan 05 2007 09:53:39|302014: Teardown TCP connection 67046549 for
    >DMZ1:192.168.60.15/21 to inside:192.168.9.75/1420 duration 0:00:30
    >bytes 0 SYN Timeout
    >6|Jan 05 2007 09:53:30|302013: Built outbound TCP connection 67046634
    >for DMZ1:192.168.60.15/21 (192.168.60.15/21) to
    >inside:192.168.9.75/1421 (192.168.9.75/1421)
    >6|Jan 05 2007 09:53:08|302013: Built outbound TCP connection 67046549
    >for DMZ1:192.168.60.15/21 (192.168.60.15/21) to
    >inside:192.168.9.75/1420 (192.168.9.75/1420)
    >6|Jan 05 2007 09:53:08|302014: Teardown TCP connection 67046336 for
    >DMZ1:192.168.60.15/21 to inside:192.168.9.75/1419 duration 0:00:30
    >bytes 0 SYN Timeout


    Either there is something -very- wrong with your systems or else your
    log outputs events in reverse chronological order.
    Walter Roberson, Jan 6, 2007
    #5
  6. Guest

    Hi Darren,

    I have never seen this or used it in the asdm, can you tell me how to
    get to it? i have looked through the asdm and see nothing of the sort.

    Thanks


    Darren Green wrote:
    > <> wrote in message
    > news:...
    > > Hi All,
    > >
    > > I am fairly certain this is something that happens all the time and a
    > > very easy thing to do for most. I have never set up a dmz and am not
    > > the best at pix. I have an asa 5510 and I am trying to setup a ftp
    > > server in the dmz that i can reach from inside and outside(neither
    > > works as of now). I have done the following:
    > >
    > > access-list outside_access_in extended permit tcp any host <public ip>
    > > eq ftp
    > >
    > > access-list DMZ1_access_in extended permit tcp host 192.168.60.15
    > > 192.168.9.0 255.255.255.0 eq ftp
    > >
    > > global (outside) 1 interface
    > > nat (outside) 0 access-list outside_nat0_inbound outside
    > > nat (inside) 0 access-list inside_nat0_outbound
    > > nat (inside) 1 0.0.0.0 0.0.0.0
    > >
    > > static (DMZ1,outside) <public ip> 192.168.60.10 netmask 255.255.255.255
    > > static (DMZ1,outside) <public ip> 192.168.60.15 netmask 255.255.255.255
    > > static (inside,DMZ1) 192.168.9.0 192.168.9.0 netmask 255.255.255.0
    > > access-group outside_access_in in interface outside
    > > access-group DMZ1_access_in in interface DMZ1
    > >
    > >
    > > The ftp host private ip in the dmz is 192.168.60.15. Private hosts
    > > inside reside on 192.168.9.0.
    > >

    > snip
    >
    > It is difficult to see if any other part of your config may be affecting
    > what you are trying to achieve here.
    >
    > Just out of curiosity - if you have an ASA then you have access to the ASDM
    > software tool. On the GUI you have the option to simulate traffic passing
    > between interfaces based on a number of criteria that you can set - it's
    > very straightforward.
    >
    > As you run the packet flow simulation the ASA will tell you if the packet
    > will be accepted or rejected on the various criteria - NAT, Access-List etc
    > that you have defined in your config. At the point it fails you can click to
    > find out where it failed making troubleshooting much easier.
    >
    > HTH.
    >
    > Regards
    >
    > Darren
    , Jan 8, 2007
    #6
  7. Guest

    thanks for all the help guys...i figured out my issue. something
    lame...the friggin xp firewall was on preventing me from using ftp..or
    anything else for that matter.


    Walter Roberson wrote:
    > In article <>,
    > <> wrote:
    >
    > >I am fairly certain this is something that happens all the time and a
    > >very easy thing to do for most. I have never set up a dmz and am not
    > >the best at pix. I have an asa 5510 and I am trying to setup a ftp
    > >server in the dmz that i can reach from inside and outside(neither
    > >works as of now). I have done the following:

    >
    > >access-list outside_access_in extended permit tcp any host <public ip> eq ftp

    >
    > >access-list DMZ1_access_in extended permit tcp host 192.168.60.15 192.168.9.0 255.255.255.0 eq ftp

    >
    > >global (outside) 1 interface
    > >nat (outside) 0 access-list outside_nat0_inbound outside
    > >nat (inside) 0 access-list inside_nat0_outbound
    > >nat (inside) 1 0.0.0.0 0.0.0.0

    >
    > >static (DMZ1,outside) <public ip> 192.168.60.10 netmask 255.255.255.255
    > >static (DMZ1,outside) <public ip> 192.168.60.15 netmask 255.255.255.255

    >
    > You cannot static the same public IP to two different internal addresses,
    > not unless you add in [different] port restrictions.
    >
    > Also, if <public ip> is the same as the outside interface of your ASA
    > (or PIX), then you must use port restrictions.
    >
    > For the ASA, that would look like,
    >
    > static (DMZ1,outside) tcp <public ip> ftp 192.168.60.15 ftp netmask 255.255.255.255
    >
    > For PIX 6.3, it would look like,
    >
    > static (DMZ1,outside) tcp interface ftp 192.168.60.15 ftp netmask 255.255.255.255
    >
    > >static (inside,DMZ1) 192.168.9.0 192.168.9.0 netmask 255.255.255.0

    >
    > You only need to static (inside,DMZ1) if you need DMZ1 to be able
    > to initiate connections to inside (but then why bother with a DMZ?),
    > or if it is important on the DMZ device to be able to figure out
    > exactly which inside device is connecting (e.g., for logs or
    > differential access purposes.)
    >
    > >access-group outside_access_in in interface outside
    > >access-group DMZ1_access_in in interface DMZ1

    >
    > An access-group applied "in" interface DMZ1 controls the locations
    > that DMZ1 is able to initiate connections to. Unless you need your ftp
    > server to be able to initiate ftp sessions to inside, get rid of that.
    >
    >
    > >When I view the live log, I do not see any errors, just the following
    > >when i attempt a connection from the inside:

    >
    > >6|Jan 05 2007 09:53:39|302014: Teardown TCP connection 67046549 for
    > >DMZ1:192.168.60.15/21 to inside:192.168.9.75/1420 duration 0:00:30
    > >bytes 0 SYN Timeout
    > >6|Jan 05 2007 09:53:30|302013: Built outbound TCP connection 67046634
    > >for DMZ1:192.168.60.15/21 (192.168.60.15/21) to
    > >inside:192.168.9.75/1421 (192.168.9.75/1421)
    > >6|Jan 05 2007 09:53:08|302013: Built outbound TCP connection 67046549
    > >for DMZ1:192.168.60.15/21 (192.168.60.15/21) to
    > >inside:192.168.9.75/1420 (192.168.9.75/1420)
    > >6|Jan 05 2007 09:53:08|302014: Teardown TCP connection 67046336 for
    > >DMZ1:192.168.60.15/21 to inside:192.168.9.75/1419 duration 0:00:30
    > >bytes 0 SYN Timeout

    >
    > Either there is something -very- wrong with your systems or else your
    > log outputs events in reverse chronological order.
    , Jan 8, 2007
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter

    FTP through PIX DMZ

    Peter, Aug 24, 2004, in forum: Cisco
    Replies:
    4
    Views:
    4,860
    Dominic
    Sep 21, 2004
  2. JohnC
    Replies:
    9
    Views:
    846
    Walter Roberson
    Dec 7, 2004
  3. Network-Guy

    Cisco PIX DMZ to DMZ Access

    Network-Guy, Sep 23, 2005, in forum: Cisco
    Replies:
    7
    Views:
    3,886
    Walter Roberson
    Sep 25, 2005
  4. morten
    Replies:
    4
    Views:
    1,204
    Tilman Schmidt
    Sep 4, 2007
  5. Jack
    Replies:
    0
    Views:
    669
Loading...

Share This Page