ASA, static, icmp and inspect FTP
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||
|
Posted by Laurent on August 22, 2008, 5:11 am
Please log in for more thread options Hello, I have an ASA box running 7.2 with few static and few questions.. Let's say that the outside IP address is 85.1.1.1 and we have 4 statics for 2 web servers, and 2 FTP servers (access-lists and access-group are OK) interface Ethernet0/0 nameif outside security-level 0 ip address 85.1.1.1 255.255.255.192 ! static (inside,outside) tcp 85.1.1.2 80 10.1.1.2 80 netmask 255.255.255.255 static (inside,outside) tcp 85.1.1.3 80 10.1.1.3 80 netmask 255.255.255.255 static (inside,outside) tcp 85.1.1.2 21 10.1.1.4 21 netmask 255.255.255.255 static (inside,outside) tcp 85.1.1.3 21 10.1.1.5 21 netmask 255.255.255.255 My first question is the ASA is replying to pings on the outside interface address 85.1.1.1, that's fine, but is there a way to have the ASA reply to ICMP pings on outside for addresses 85.1.1.2 and 85.1.1.3? Because for users if it does not ping, then it does not work... Second question is about static, inspec and FTP, I want to setup multiple virtual FTP servers using proftpd on a linux box (linux has a single IP so proftpd will listen on multiple ports: 2021, 2022, 2023, 2024...) The static would look like: static (inside,outside) tcp 85.1.1.11 21 10.1.1.100 2021 netmask 255.255.255.255 static (inside,outside) tcp 85.1.1.12 21 10.1.1.100 2022 netmask 255.255.255.255 static (inside,outside) tcp 85.1.1.13 21 10.1.1.100 2023 netmask 255.255.255.255 static (inside,outside) tcp 85.1.1.14 21 10.1.1.100 2024 netmask 255.255.255.255 Will the inspect FTP works fine, the documentation is not clear, will the ASA thinks it is FTP because it is port 21 on outside, or will it ignore FTP because of the 2021..2024 port on inside? Last one, is about SSH access to the ASA CLI, I had to do a static on the outside address and port 22: static (inside,outside) tcp interface ssh 10.1.1.1 ssh netmask 255.255.255.255 Works fine, bu, I can't access to the ASA CLI using SSH, I looked in the documentation, but I cant' find a way to have ASA listen on an alternate port for the SSH ASA CLI? Any clue? Thanks for your attention and your helping. Best regards. Laurent. | ||||||||||||||||
|
Posted by Scott Perry on August 22, 2008, 5:05 pm
Please log in for more thread options Question #1: Is there a way to have the ASA reply to ICMP pings on outside for addresses 85.1.1.2 and 85.1.1.3? Answer #1: Yes, change from translating just inbound TCP port 21 and inbound TCP port 80 to everything for that IP address and then apply an access-list to inbound traffic to filter everything except FTP, HTTP, and ICMP. no static (inside,outside) tcp 85.1.1.2 80 10.1.1.2 21 netmask 255.255.255.255 no static (inside,outside) tcp 85.1.1.3 80 10.1.1.2 21 netmask 255.255.255.255 no static (inside,outside) tcp 85.1.1.2 80 10.1.1.2 80 netmask 255.255.255.255 no static (inside,outside) tcp 85.1.1.3 80 10.1.1.2 80 netmask 255.255.255.255 ! static (inside,outside) 85.1.1.3 80 10.1.1.2 netmask 255.255.255.254 ! access-list inbound remark * FTP to 85.1.1.2 and 85.1.1.3 access-list inbound permit tcp any 85.1.1.2 255.255.255.254 eq 21 access-list inbound remark * HTTP to 85.1.1.2 and 85.1.1.3 access-list inbound permit tcp any 85.1.1.2 255.255.255.254 eq 80 access-list inbound remark * PING to 85.1.1.2 and 85.1.1.3 access-list inbound permit icmp any 85.1.1.2 255.255.255.254 echo ! access-group inbound in interface outside Question #2: Will the inspect FTP works fine, the documentation is not clear, will the ASA thinks it is FTP because it is port 21 on outside, or will it ignore FTP because of the 2021..2024 port on inside? Answer #2: No idea. You will probably have to try it for yourself. 2 out of 3 questions answered for free is still a big bonus for you. Question #3: Works fine, bu, I can't access to the ASA CLI using SSH, I looked in the documentation, but I cant' find a way to have ASA listen on an alternate port for the SSH ASA CLI? Any clue? Answer #3: You cannot ever reach an IP address on an interface of a fireall from another side of a firewall. It just doesn't work like that. The static NAT translation from the outside of the firewall to the firewall's own inside IP address is not the way to go and will not work. Just allow SSH from the outside, if you are willing to permit this. no static (inside,outside) tcp interface ssh 10.1.1.1 ssh netmask 255.255.255.255 ! access-list inbound remark * SSH from the Internet access-list inbound premit tcp any host 8.1.1.1 eq ssh ! access-group inbound in interface outside ! ssh 0.0.0.0 0.0.0.0 outside ! crypto key zeroize rsa crypto key generate rsa modulus 1024 ----- Scott Perry Indianapolis, IN ----- | ||||||||||||||||
| Similar Threads | Posted |
| ASA, static, icmp and inspect FTP | August 22, 2008, 5:11 am |
| Pings and PIX messages 302020: Built ICMP - 302021: Teardown ICMP Lots of them.... | May 1, 2006, 2:40 pm |
| IP Inspect | May 18, 2006, 7:13 pm |
| HTTP Inspect | November 11, 2005, 3:05 pm |
| HTTP INSPECT | November 11, 2005, 3:11 pm |
| CBAC / IP Inspect Confusion | December 6, 2005, 6:27 am |
| 2621XM - np ip inspect causes failure | December 13, 2005, 10:36 am |
| IP Inspect and Browsing issues | October 13, 2007, 2:08 pm |
| inspect pptp - disruptive? | February 14, 2008, 1:35 pm |
| DNS Fixup/Inspect Pix/ASA 7.0 or greater breaking email | October 7, 2006, 6:47 pm |
| ip inspect causing problems joing domain | December 7, 2006, 9:43 pm |
| IP SLA - ICMP | June 5, 2008, 3:55 am |
| icmp weirdness - PIX 501 (does any really mean any??) | September 23, 2005, 10:12 am |
| timestamp ICMP ? | April 16, 2006, 11:45 pm |
| ICMP pinging. | October 3, 2006, 7:22 am |
>
> I have an ASA box running 7.2 with few static and few questions..
>
> Let's say that the outside IP address is 85.1.1.1 and we have 4 statics
> for 2 web servers, and 2 FTP servers (access-lists and access-group are
> OK)
>
>
> interface Ethernet0/0
> nameif outside
> security-level 0
> ip address 85.1.1.1 255.255.255.192
> !
>
>
> static (inside,outside) tcp 85.1.1.2 80 10.1.1.2 80 netmask
> 255.255.255.255
> static (inside,outside) tcp 85.1.1.3 80 10.1.1.3 80 netmask
> 255.255.255.255
> static (inside,outside) tcp 85.1.1.2 21 10.1.1.4 21 netmask
> 255.255.255.255
> static (inside,outside) tcp 85.1.1.3 21 10.1.1.5 21 netmask
> 255.255.255.255
>
>
> My first question is the ASA is replying to pings on the outside
> interface address 85.1.1.1, that's fine, but is there a way to have the
> ASA reply to ICMP pings on outside for addresses 85.1.1.2 and 85.1.1.3?
> Because for users if it does not ping, then it does not work...
>
> Second question is about static, inspec and FTP, I want to setup
> multiple virtual FTP servers using proftpd on a linux box (linux has a
> single IP so proftpd will listen on multiple ports: 2021, 2022, 2023,
> 2024...)
>
> The static would look like:
>
>
> static (inside,outside) tcp 85.1.1.11 21 10.1.1.100 2021 netmask
> 255.255.255.255
> static (inside,outside) tcp 85.1.1.12 21 10.1.1.100 2022 netmask
> 255.255.255.255
> static (inside,outside) tcp 85.1.1.13 21 10.1.1.100 2023 netmask
> 255.255.255.255
> static (inside,outside) tcp 85.1.1.14 21 10.1.1.100 2024 netmask
> 255.255.255.255
>
> Will the inspect FTP works fine, the documentation is not clear, will
> the ASA thinks it is FTP because it is port 21 on outside, or will it
> ignore FTP because of the 2021..2024 port on inside?
>
> Last one, is about SSH access to the ASA CLI, I had to do a static on
> the outside address and port 22:
>
> static (inside,outside) tcp interface ssh 10.1.1.1 ssh netmask
> 255.255.255.255
>
> Works fine, bu, I can't access to the ASA CLI using SSH, I looked in the
> documentation, but I cant' find a way to have ASA listen on an alternate
> port for the SSH ASA CLI? Any clue?
>
> Thanks for your attention and your helping.
>
> Best regards.
>
> Laurent.
>
>