ASA pre-config
1. NAT
- inside to outside (Dynamic PAT(Hide): inside to outside)
- DMZ webserver to internet (static 192.168.1.140)
2. ACL(permit tcp and http from outside to DMZ)
- Extended ACL
access-list outside_access_in line 1 extended permit tcp any host 192.168.100.10 eq ftp
access-list outside_access_in line 1 extended permit tcp any host 192.168.100.10 eq www
* FTP uses port 21 for session established, and uses another port for actual data transfer.
* In this case, outside user can access FTP server with port 21 when the FTP client is active mode which is FTP server initiates new port for data transfer. Therefore, ASA can keep watch all the packets.
* To make it available, we can use application inspection.
1. Application inspection for dynamically assigned ports.
Scenario-
When outside users initiate access to FTP server on DMZ with port 21, the FTP sessions can be established. However, actual data transfer through ASA will be denied because access list for FTP that I initiates is client passive mode.
As you can see, the connection to the FTP server on DMZ is established, but at the top of the picture shows you that you can not see any files.
I will add Service policy rule.
You must click the FTP check box.
Now, I can download all the files from FTP server.
No comments:
Post a Comment