FTP configuration for ASA

itdsmartnet · ‎09-08-2008

i have public ip address A.B.C.D for ftp. i want to place my FTP server in DMZ. I have configure ASA with the following configuration.

static (DMZ,outside) A.B.C.D 10.130.1.2 netmask 255.255.255.255

access-list ftpserver extended permit tcp any host A.B.C.D eq ftp

access-group webserver in interface outside

global (outside) 1 interface

global (DMZ) 1 interface

nat (inside) 1 0 0

The problem with the above configuration is that my inside host communicate with FTP server but the host on internet were not communicating with the live ip address. please help me in this regard

satya.singh · ‎09-10-2008

Hi, I do not see ACL "ftpserver" mapped to outside interface which should be like

access-group ftpserver in interface outside

HTH

satya.singh · ‎09-10-2008

I'd also suggest that outside to DMZ ACL be made with name "Outside_access_in" and this be mapped to outside interface like

access-group Outside_access_in in interface Outside

This should help you keep adding firewall rules for Outside-DMZ traffic while the ACL remains mapped to Outside interface.

itdsmartnet · ‎09-10-2008

i have configured FTP as per above instructions.

now the problem is that my inside host access ftp with the private ip address of DMZ. and if i want them to access with the public address they will not. Any other host on the internet are accessing FTp with the public ip address but not the inside host

Marwan ALshawi · ‎09-10-2008

of course the inside host cant access the ftp through the public address because it is establishing the connection from the inside

and the nat statment u have map the public address for dmz network only

itdsmartnet · ‎09-10-2008

how should i do this ?

please help me.

Thanks

Marwan ALshawi · ‎09-10-2008

why u want the inside users to use the public ip while they can reach it through the private one ?

itdsmartnet · ‎09-10-2008

hi,

i just want to check if the FTP server is working from outside or not.

Marwan ALshawi · ‎09-10-2008

ok use any outside connection like internet cafe mobile

becasue if u dont need it u dont need to put ur self in complex issue this think a bit complex

to make sure ur config good u need to have

static (dmz, outside) a.a.a.a b.b.b.b netmask 255.255.255.255

OR

static (dmz, outside) tcp a.a.a.a ftp b.b.b.b ftp netmask 255.255.255.255

while a.a.a.a the public ip

accesslist 100 permit tcp any host a.a.a.a eq ftp

access-group in interface outside

also make sure u have the ftp inspection enabled on the defualt inspection policy

good luck

if helpful Rate