FTP configuration for ASA

Unanswered Question
Sep 8th, 2008
User Badges:

i have public ip address A.B.C.D for ftp. i want to place my FTP server in DMZ. I have configure ASA with the following configuration.

static (DMZ,outside) A.B.C.D 10.130.1.2 netmask 255.255.255.255

access-list ftpserver extended permit tcp any host A.B.C.D eq ftp

access-group webserver in interface outside

global (outside) 1 interface

global (DMZ) 1 interface

nat (inside) 1 0 0


The problem with the above configuration is that my inside host communicate with FTP server but the host on internet were not communicating with the live ip address. please help me in this regard

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
satya.singh Wed, 09/10/2008 - 00:06
User Badges:

Hi, I do not see ACL "ftpserver" mapped to outside interface which should be like


access-group ftpserver in interface outside


HTH


satya.singh Wed, 09/10/2008 - 00:09
User Badges:

I'd also suggest that outside to DMZ ACL be made with name "Outside_access_in" and this be mapped to outside interface like


access-group Outside_access_in in interface Outside


This should help you keep adding firewall rules for Outside-DMZ traffic while the ACL remains mapped to Outside interface.

itdsmartnet Wed, 09/10/2008 - 01:37
User Badges:

i have configured FTP as per above instructions.

now the problem is that my inside host access ftp with the private ip address of DMZ. and if i want them to access with the public address they will not. Any other host on the internet are accessing FTp with the public ip address but not the inside host

Marwan ALshawi Wed, 09/10/2008 - 01:47
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

of course the inside host cant access the ftp through the public address because it is establishing the connection from the inside

and the nat statment u have map the public address for dmz network only


Marwan ALshawi Wed, 09/10/2008 - 02:38
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

why u want the inside users to use the public ip while they can reach it through the private one ?

itdsmartnet Wed, 09/10/2008 - 02:55
User Badges:

hi,

i just want to check if the FTP server is working from outside or not.

Marwan ALshawi Wed, 09/10/2008 - 03:00
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

ok use any outside connection like internet cafe mobile

becasue if u dont need it u dont need to put ur self in complex issue this think a bit complex


to make sure ur config good u need to have


static (dmz, outside) a.a.a.a b.b.b.b netmask 255.255.255.255


OR


static (dmz, outside) tcp a.a.a.a ftp b.b.b.b ftp netmask 255.255.255.255


while a.a.a.a the public ip


accesslist 100 permit tcp any host a.a.a.a eq ftp


access-group in interface outside


also make sure u have the ftp inspection enabled on the defualt inspection policy


good luck


if helpful Rate

Actions

This Discussion