Sujet Précédent Sujet Suivant

Pb ACL FTP sur Firewall ASA 5510

Résolu/Fermé
brunlemon Messages postés 4 Date d'inscription mercredi 18 avril 2007 Statut Membre Dernière intervention 7 juin 2007 - 18 avril 2007 à 15:48
 plb - 28 avril 2008 à 18:40
Bonjour,
J'ai parametré mon firewall de façon à avoir la possibilité d'autoriser http, https et FTP en sortie. http, https fonctionnent. Par contre il m'est impossible de faire du FTP. Je ne comprends pas pourquoi. Dans mes acl si je remplace le groupe www_ftp par tous les ports, cela fonctionne.
Merci de votre aide

ci-après un extrait de sh conf

: Saved
: Written by admin at 10:34:54.368 CEDT Thu Apr 5 2007
!
ASA Version 7.1(2)28
!
object-group service www_ftp tcp
port-object eq https
port-object eq www
port-object eq ftp-data
port-object eq ftp

access-list inside_nat0_outbound extended permit ip object-group LAN_societe 192.168.45.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip object-group LAN_societe 192.168.50.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Y.Y.49.192 255.255.255.192
access-list DMZ_FSecure_nat0_inbound extended permit ip 192.168.50.0 255.255.255.0 object-group LAN_societe
access-list DMZ_ISA-Server_nat0_inbound extended permit ip 192.168.45.0 255.255.255.0 object-group LAN_societe
access-list inside_access_in remark DNS de societe vers OLEANE
access-list inside_access_in extended permit udp object-group societe_DNS object-group OLEANE_DNS eq domain log
access-list inside_access_in extended permit ip object-group societe_Exchange object-group societe_FSECURE log
access-list inside_access_in remark protocole : http, https et ftp
access-list inside_access_in extended permit tcp object-group LAN_societe any object-group www_ftp log emergencies
access-list inside_access_in extended permit icmp object-group LAN_societe any log
access-list inside_access_in extended permit tcp object-group LAN_societe object-group societe_FSECURE object-group Fsecure log
access-list inside_access_in remark Pour permettre de consulter le site suivant
access-list inside_access_in extended permit tcp object-group LAN_societe host Z.Z.Z.Z eq 90
access-list inside_access_in extended permit udp object-group LAN_societe eq ntp any
access-list inside_access_in extended deny ip object-group LAN_societe any log
access-list inside_pnat_outbound extended permit ip object-group LAN_societe any
access-list inside_pnat_outbound_V1 extended permit ip host societe_FS1 any


access-list DMZ_FSecure_access_in extended permit udp object-group societe_FSECURE object-group societe_DNS eq domain log
access-list DMZ_FSecure_access_in extended permit tcp object-group societe_FSECURE object-group societe_Exchange eq smtp log
access-list DMZ_FSecure_access_in extended permit tcp object-group societe_FSECURE any eq smtp log
access-list DMZ_FSecure_access_in extended permit tcp object-group societe_FSECURE object-group societe_DNS eq ldap log
access-list DMZ_FSecure_access_in extended permit tcp object-group societe_FSECURE any object-group http_htpps log
access-list DMZ_FSecure_access_in extended permit icmp object-group societe_FSECURE any log
access-list DMZ_FSecure_access_in extended permit ip object-group societe_FSECURE any log
access-list DMZ_FSecure_access_in extended deny ip any any log
access-list outside_access_in extended permit tcp any host A.A.A.11 object-group http_htpps log
access-list outside_access_in extended permit tcp any host A.A.A.9 eq smtp log
access-list outside_access_in extended permit tcp any host A.A.A.10 eq smtp log
access-list outside_access_in extended permit tcp any host A.A.A.9 eq 10000 log
access-list outside_access_in extended permit tcp any host A.A.A.10 eq 10000 log
access-list outside_access_in extended permit tcp any host A.A.A.9 eq 10010 log
access-list outside_access_in extended permit tcp any host A.A.A.10 eq 10010 log
access-list outside_access_in extended permit tcp any host A.A.A.9 eq ssh log
access-list outside_access_in extended permit tcp any host A.A.A.10 eq ssh log
access-list outside_access_in extended permit icmp any host A.A.A.9 log
access-list outside_access_in extended permit icmp any host A.A.A.10 log
access-list outside_access_in extended deny ip any any log
access-list DMZ_FSecure_pnat_outbound_V1 extended permit ip host societe_FS2 any
access-list DMZ_ISA-Server_pnat_outbound extended permit ip host societe_ISA05 any
access-list DMZ_ISA-Server_access_in extended permit tcp host societe_ISA05 host societe_Exchange1 eq https log
access-list DMZ_ISA-Server_access_in extended permit udp host societe_ISA05 object-group societe_DNS eq domain log


access-list DMZ_ISA-Server_access_in extended deny ip any any log
A voir également:

1 réponse

Réponse 1 / 1
plb
28 avril 2008 à 18:40
Bonjour

Ajouter la dernière ligne

object-group service www_ftp tcp
port-object eq https
port-object eq www
port-object eq ftp-data
port-object eq ftp
___________________
port-object gt 1024
---------------------------------


Cordialement
0

Discussions similaires

ftp:// 192.168.1.2.
gentil -
karim -

4 réponses
acceder a un ftp avec une URL?
sempai -
sempai -

6 réponses
comment se connecte au site http://192.168.1
benidu62 -
guytou1419 -

47 réponses
serveur FTP en local
Utilisateur anonyme -
Utilisateur anonyme -

21 réponses
Problème driver réseau ethernet
airsoftmomo -
kaneagle -

12 réponses