04-29-2007 12:27 PM - edited 03-11-2019 03:06 AM
I just setup a ASA 5505...the last issue I have is I can't access FTP on the outside network.
Please see config attached.
Thanks.
Solved! Go to Solution.
04-29-2007 01:28 PM
Well you got a few weird thinks on this config
1 your global (outside) 1 has a wrong net mask
2 you have no interface specified for inside but you have a nat (inside)
3 you dont need these access lists vengra_access_in and vengra_access_out
when you do nat it allow any thing from a high secure interface ( your int vengra ) to any interface to lower security interface( outside)
Well I saw a couple more weird options but any ways I'll tell you why you cannot access ftp
you need a police inspection
just type this as I have here.
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
service-policy global_policy global
This is the default police inspection for the ASA I don't recommend you remove, you may want to twicke it a little be but I would not take it out
to get more information on ftp go to http://slacksite.com/other/ftp.html
and I also recommend you take a look on types of firewall - packet filter, proxy filter and Stateful Packet Filter
Pixes and ASA's are Stateful Packet Filters
04-29-2007 01:28 PM
Well you got a few weird thinks on this config
1 your global (outside) 1 has a wrong net mask
2 you have no interface specified for inside but you have a nat (inside)
3 you dont need these access lists vengra_access_in and vengra_access_out
when you do nat it allow any thing from a high secure interface ( your int vengra ) to any interface to lower security interface( outside)
Well I saw a couple more weird options but any ways I'll tell you why you cannot access ftp
you need a police inspection
just type this as I have here.
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
service-policy global_policy global
This is the default police inspection for the ASA I don't recommend you remove, you may want to twicke it a little be but I would not take it out
to get more information on ftp go to http://slacksite.com/other/ftp.html
and I also recommend you take a look on types of firewall - packet filter, proxy filter and Stateful Packet Filter
Pixes and ASA's are Stateful Packet Filters
04-30-2007 05:49 AM
Thanks. What are the other weird options you see?
04-30-2007 06:58 AM
Well, I added what you specified and it still does not seem to work...also when I remove the vengra access list I can't get to the outside.
Using the GUI when I specify the global pool it says the netmask is optional. I did not specify and I guess what you see is what it put for a default...what do you recommend?
Thanks
Edit:
Apparently it did not keep what I put in...I saw it...I rebooted the appliance and it must have erased it...? I entered it throught the GUI command line interface...I will try again.
04-30-2007 08:05 AM
I re-entered and saved and it works.
04-30-2007 01:54 PM
nothing serius, but for ex.
mtu inside 1500
mtu outside 1500
mtu vengra 1500
its not really needed
PS. When you do changes on the the natting do a clear xlate and it to changes make effect !
cya
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide