Basic FTP configuration in ASA

Answered Question
Sep 9th, 2008

hi, i want to place my ftp server in DMZ and i have public ip a.b.c.d, how can i configure my ASA to have ftp access for both inside and outside users.

Thanks

I have this problem too.
0 votes
Correct Answer by satish_zanjurne about 8 years 2 months ago

hi,

Use Destination NAT in this case.Add following configuration to your existing config.

static ( dmz , inside ) 192.168.1.2 172.16.1.9 netmask 255.255.255.255

Also , to make inside hosts access-internet you can add following commands if you want.

nat ( inside ) 1 10.0.0.0 255.255.255.0

global ( outside ) 1 interface

HTH...rate if helpful..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
satish_zanjurne Tue, 09/09/2008 - 21:38

Hi,

Suppose your public IP Address is 192.168.1.2 & DMZ IP address is 172.16.1.9.

And inside subnet is 10.0.0.0/24

For inside to dmz access we have mapped same private address to itself using netstatic.

----------------------------------------

static ( dmz , outside ) 192.168.1.2 172.16.1.9 netmask 255.255.255.255

static ( inside , dmz ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

access-lis 100 permit tcp any 192.168.1.2 eq ftp

access-group 100 in interface outside

HTH...rate if helpful...

itdsmartnet Tue, 09/09/2008 - 22:49

thanks for your reply, i have configured with the above configuration. my inside network is accessing the ftp server via DMZ ip address 172.16.1.9 but inside host were unable to access ftp via public ip.pls help in this matter.

Correct Answer
satish_zanjurne Tue, 09/09/2008 - 23:40

hi,

Use Destination NAT in this case.Add following configuration to your existing config.

static ( dmz , inside ) 192.168.1.2 172.16.1.9 netmask 255.255.255.255

Also , to make inside hosts access-internet you can add following commands if you want.

nat ( inside ) 1 10.0.0.0 255.255.255.0

global ( outside ) 1 interface

HTH...rate if helpful..

itdsmartnet Wed, 09/10/2008 - 00:06

thanks

but when i do the above configuration i cannot access ftp with its local ip address i.e DMZ ip address and also my internet stop browsing.

satish_zanjurne Wed, 09/10/2008 - 00:09

OK!!!

Remove the nat ( inside ) 1

global ( outside ) 1

statements from config..and see if browing is working or not

itdsmartnet Wed, 09/10/2008 - 01:48

so how can i now access the ftp in DMZ zone with its local ip address.i can access it with its public ip now. i want to have ftp access with both its private and public ips.

Thanks

itdsmartnet Wed, 09/10/2008 - 03:03

The configuration is as follow

:

ASA Version 7.1(2)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address A.B.C.D

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 30.30.30.1 255.255.255.252

!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 10.5.0.1 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

interface GigabitEthernet1/0

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/3

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list webserver extended permit tcp any host C.D.E.F eq ftp

pager lines 24

logging trap debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

no failover

icmp permit any outside

icmp permit any inside

icmp permit any DMZ

asdm image disk0:/asdm-512.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (DMZ) 1 interface

nat (inside) 1 30.30.30.0 255.255.255.252

static (DMZ,outside) C.D.E.F 10.5.0.5 netmask 255.255.255.255

static (DMZ,inside) C.D.E.F 10.5.0.5 netmask 255.255.255.255

access-group webserver in interface outside

route outside 0.0.0.0 0.0.0.0 221.120.214.1 1

route inside 192.168.0.0 255.255.240.0 30.30.30.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 30.30.30.2 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

Cryptochecksum:a648fc19e2c8d7bcf4abdde0f1ee8725

: end

satish_zanjurne Wed, 09/10/2008 - 03:46

Remove

"global (DMZ) 1 interface " statement

And add below statement

" static ( inside , dmz ) 30.30.30.0 30.30.30.0 netmask 255.255.255.252"

This should work..

itdsmartnet Wed, 09/10/2008 - 03:52

hi,

when i remove global(DMZ) 1 interface statement, my ftp from inside network stops working.

Thanks

satish_zanjurne Wed, 09/10/2008 - 04:17

OK!!! now

1.Are you able to access internet.

2.Are you able to access ftp from outside ??

3.Are you able to access ftp from inside with public IP Address ??

4.Are you able to access ftp from inside with private IP Address ??

Let me know on this

itdsmartnet Wed, 09/10/2008 - 20:51

hi,

with this configuration, as you told me.

access-list webserver extended permit tcp any host a.b.c.d eq ftp

global (outside) 1 interface

nat (inside) 1 30.30.30.0 255.255.255.252

static (DMZ,outside) a.b.c.d 10.5.0.5 netmask 255.255.255.255

static (inside,DMZ) 30.30.30.0 30.30.30.0 netmask 255.255.255.252

static (DMZ,inside) a.b.c.d 10.5.0.5 netmask 255.255.255.255

access-group webserver in interface outside

route outside 0.0.0.0 0.0.0.0 e.f.g.h 1

route inside 192.168.0.0 255.255.240.0 30.30.30.2 1

i can now

1. able to access internet

2. able to ftp from outside.

3. able to access ftp from inside with public address.

4. not able to access ftp from inside with private ip address

satish_zanjurne Wed, 09/10/2008 - 23:52

I am not sure , but try removing below statement.!!!

static (DMZ,inside) a.b.c.d 10.5.0.5 netmask 255.255.255.255

itdsmartnet Thu, 09/11/2008 - 00:06

hi,

when i remove

static (DMZ,inside) a.b.c.d 10.5.0.5 netmask 255.255.255.255

i can access ftp with private ip address and cannot access ftp with its public ip address.

Actions

This Discussion