cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
503
Views
0
Helpful
2
Replies

Could not Access the FTP server from the outside interface (ASA 5510)

jclim
Level 1
Level 1

Dear All,

I am setting up a test environment with the following configuration. Although I have created the ACL and also enable the Port re-direction, but I still not able to access the FTP server from the outside.

ASA Version 7.0(6)

!

hostname ACN-GW

domain-name anc.com

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 172.16.10.1 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!

interface Ethernet0/2

nameif Student

security-level 50

ip address 192.168.101.1 255.255.255.0

!

nameif management

security-level 0

ip address 192.168.200.1 255.255.255.0

management-only

!

ftp mode passive

access-list acl_inbound extended permit tcp any host 172.16.10,1 eq ftp

access-list acl_inbound extended permit tcp any host 172.16.10.1 eq ftp-data

!

tcp-map map

!

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (Student) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 172.16.10.1 ftp 192.168.100.2 ftp netmask 255.255.255.255

static (inside,outside) tcp 172.16.10.1 ftp-data 192.168.100.2 ftp-data netmask 255.255.255.255

access-group acl_inbound in interface outside

route outside 0.0.0.0 0.0.0.0 172.16.10.2

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect ftp

!

service-policy global_policy global

: end

Kindly advise, did I miss out something from the configuration.

JC

2 Replies 2

froggy3132000
Level 3
Level 3

instead of

access-list acl_inbound extended permit tcp any host 172.16.10,1 eq ftp

it should read

access-list acl_inbound extended permit tcp any any eq ftp

bdube
Level 2
Level 2

Hi JC,

I have exactly the same issue as you. I also start a conversation: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddff247

I don't have the answer rigth now. Do you find how to make it work?

Thanks

Ben

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: