FTP configuration for ASA

Unanswered Question
Sep 8th, 2008

i have public ip address A.B.C.D for ftp. i want to place my FTP server in DMZ. I have configure ASA with the following configuration.

static (DMZ,outside) A.B.C.D netmask

access-list ftpserver extended permit tcp any host A.B.C.D eq ftp

access-group webserver in interface outside

global (outside) 1 interface

global (DMZ) 1 interface

nat (inside) 1 0 0

The problem with the above configuration is that my inside host communicate with FTP server but the host on internet were not communicating with the live ip address. please help me in this regard

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
satya.singh Wed, 09/10/2008 - 00:06

Hi, I do not see ACL "ftpserver" mapped to outside interface which should be like

access-group ftpserver in interface outside


satya.singh Wed, 09/10/2008 - 00:09

I'd also suggest that outside to DMZ ACL be made with name "Outside_access_in" and this be mapped to outside interface like

access-group Outside_access_in in interface Outside

This should help you keep adding firewall rules for Outside-DMZ traffic while the ACL remains mapped to Outside interface.

itdsmartnet Wed, 09/10/2008 - 01:37

i have configured FTP as per above instructions.

now the problem is that my inside host access ftp with the private ip address of DMZ. and if i want them to access with the public address they will not. Any other host on the internet are accessing FTp with the public ip address but not the inside host

Marwan ALshawi Wed, 09/10/2008 - 01:47

of course the inside host cant access the ftp through the public address because it is establishing the connection from the inside

and the nat statment u have map the public address for dmz network only

Marwan ALshawi Wed, 09/10/2008 - 02:38

why u want the inside users to use the public ip while they can reach it through the private one ?

itdsmartnet Wed, 09/10/2008 - 02:55


i just want to check if the FTP server is working from outside or not.

Marwan ALshawi Wed, 09/10/2008 - 03:00

ok use any outside connection like internet cafe mobile

becasue if u dont need it u dont need to put ur self in complex issue this think a bit complex

to make sure ur config good u need to have

static (dmz, outside) a.a.a.a b.b.b.b netmask


static (dmz, outside) tcp a.a.a.a ftp b.b.b.b ftp netmask

while a.a.a.a the public ip

accesslist 100 permit tcp any host a.a.a.a eq ftp

access-group in interface outside

also make sure u have the ftp inspection enabled on the defualt inspection policy

good luck

if helpful Rate


This Discussion