PIX515E can't FTP from the dmz to inside network

[blade10]

All-

Can this even be done, would I have to create an access-list (not natted)in order for this to work?

Specific users from the outside getting to the dmz is no problem.. There is also no problem with inside users getting to the dmz BUT when these users try to ftp files from the dmz to the inside network, it fails.

Am I breaking some security boundary by assuming this would work at all?

thanks for any info
blade

 

[Supergrrover]

Yes, they have different security levels assigned to them. You will need a static and an access-list applied to the dmz interface to let this traffic through.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[blade10]

Thanks Supergrover,

just so my syntax doesn't botch anything up or create more headaches, could you provide a bogus example of the static, acl and how to apply it to the dmz interface?

I worry that if I apply this access-list to the dmz interface will it deny all other traffic from my inside users getting to the dmz which seems to be working well .. due to the security levels my trusted 100 inside interface allows users into the dmz but as you know the reverse trip where an ftp file coming FROM the dmz doesn't happen unless I apply this specific acl, static route and apply to interface.. if I do this will my other users be screwed that access the dmz and only allow this particular access for ftp?

just making sure I don't break anything

thanks for all your help
blade

 

[Supergrrover]

Here is the Cisco guide -

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080862017.shtml

The ASA allows traffic from a higher to a lower by default and the ASA engine will allow the return traffic. If you have the ftp inspection running the ftp should still work fine.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[blade10]

SuperG!

This is a PIX515E, not sure if this worked but did apply an extended acl and applied it to static route, but the question is do I absolutely have to apply it to the PIX dmz interface? is definately yes, would it break or impede any other connectivity in which the dmz interface is supporting. Reason I ask is because this pix is running 6.3 IOS and am using conduit statements for an array of public ip and opened ports at this point until we upgrade to 7.0 and eventually cut over to the ASA5510 we just purchased (this is entirely a different and very involved project)

thanks again for your insight Supergrover!

blade

 

[Supergrrover]

Well, for 7x you will need to get rid of the conduits anyway. Might as well get them going now. You can't really use conduits and ACLs together.
Post your conduits and we'll see what we need to do to convert them.

This is definitely a weekend project and have a copy of the config saved that you can revert to.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[blade10]

Hi Brent,

Yes I hear ya, this will be a weekend proj. I however need to get this working for now.. I am not allowed to cutover until the new year begins as this company's change control policy is more anal that I care to deal with

so can I apply a conduit and a static route so that ftp traverse works both ways to and from the dmz using the 6.3 code?

Just to get them going for now... I have ASA5510's (2 for now for clustered services, vpn and IPS) but as said, I can only start this big project coming January

Any ideas?

thanks again..

blade

 

[Supergrrover]

You can do the conduit and static idea. I haven't used statics in forever so I am probably not much help on that.
Take a look at this -

http://www.cisco.com/en/US/products...ducts_tech_note09186a0080094aad.shtml#conduit

Brent
Systems Engineer / Consultant
CCNP, CCSP