09-08-2008 10:14 PM - edited 03-03-2019 11:27 PM
i have public ip address A.B.C.D for ftp. i want to place my FTP server in DMZ. I have configure ASA with the following configuration.
static (DMZ,outside) A.B.C.D 10.130.1.2 netmask 255.255.255.255
access-list ftpserver extended permit tcp any host A.B.C.D eq ftp
access-group webserver in interface outside
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 1 0 0
The problem with the above configuration is that my inside host communicate with FTP server but the host on internet were not communicating with the live ip address. please help me in this regard
09-10-2008 12:06 AM
Hi, I do not see ACL "ftpserver" mapped to outside interface which should be like
access-group ftpserver in interface outside
HTH
09-10-2008 12:09 AM
I'd also suggest that outside to DMZ ACL be made with name "Outside_access_in" and this be mapped to outside interface like
access-group Outside_access_in in interface Outside
This should help you keep adding firewall rules for Outside-DMZ traffic while the ACL remains mapped to Outside interface.
09-10-2008 01:37 AM
i have configured FTP as per above instructions.
now the problem is that my inside host access ftp with the private ip address of DMZ. and if i want them to access with the public address they will not. Any other host on the internet are accessing FTp with the public ip address but not the inside host
09-10-2008 01:47 AM
of course the inside host cant access the ftp through the public address because it is establishing the connection from the inside
and the nat statment u have map the public address for dmz network only
09-10-2008 01:54 AM
how should i do this ?
please help me.
Thanks
09-10-2008 02:38 AM
why u want the inside users to use the public ip while they can reach it through the private one ?
09-10-2008 02:55 AM
hi,
i just want to check if the FTP server is working from outside or not.
09-10-2008 03:00 AM
ok use any outside connection like internet cafe mobile
becasue if u dont need it u dont need to put ur self in complex issue this think a bit complex
to make sure ur config good u need to have
static (dmz, outside) a.a.a.a b.b.b.b netmask 255.255.255.255
OR
static (dmz, outside) tcp a.a.a.a ftp b.b.b.b ftp netmask 255.255.255.255
while a.a.a.a the public ip
accesslist 100 permit tcp any host a.a.a.a eq ftp
access-group in interface outside
also make sure u have the ftp inspection enabled on the defualt inspection policy
good luck
if helpful Rate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide