09-09-2008 08:49 PM - edited 03-03-2019 11:28 PM
hi, i want to place my ftp server in DMZ and i have public ip a.b.c.d, how can i configure my ASA to have ftp access for both inside and outside users.
Thanks
Solved! Go to Solution.
09-09-2008 11:40 PM
hi,
Use Destination NAT in this case.Add following configuration to your existing config.
static ( dmz , inside ) 192.168.1.2 172.16.1.9 netmask 255.255.255.255
Also , to make inside hosts access-internet you can add following commands if you want.
nat ( inside ) 1 10.0.0.0 255.255.255.0
global ( outside ) 1 interface
HTH...rate if helpful..
09-09-2008 09:38 PM
Hi,
Suppose your public IP Address is 192.168.1.2 & DMZ IP address is 172.16.1.9.
And inside subnet is 10.0.0.0/24
For inside to dmz access we have mapped same private address to itself using netstatic.
----------------------------------------
static ( dmz , outside ) 192.168.1.2 172.16.1.9 netmask 255.255.255.255
static ( inside , dmz ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0
access-lis 100 permit tcp any 192.168.1.2 eq ftp
access-group 100 in interface outside
HTH...rate if helpful...
09-09-2008 10:49 PM
thanks for your reply, i have configured with the above configuration. my inside network is accessing the ftp server via DMZ ip address 172.16.1.9 but inside host were unable to access ftp via public ip.pls help in this matter.
09-09-2008 11:40 PM
hi,
Use Destination NAT in this case.Add following configuration to your existing config.
static ( dmz , inside ) 192.168.1.2 172.16.1.9 netmask 255.255.255.255
Also , to make inside hosts access-internet you can add following commands if you want.
nat ( inside ) 1 10.0.0.0 255.255.255.0
global ( outside ) 1 interface
HTH...rate if helpful..
09-10-2008 12:06 AM
thanks
but when i do the above configuration i cannot access ftp with its local ip address i.e DMZ ip address and also my internet stop browsing.
09-10-2008 12:09 AM
OK!!!
Remove the nat ( inside ) 1
global ( outside ) 1
statements from config..and see if browing is working or not
09-10-2008 01:48 AM
so how can i now access the ftp in DMZ zone with its local ip address.i can access it with its public ip now. i want to have ftp access with both its private and public ips.
Thanks
09-10-2008 02:15 AM
Can you attach the current config on ASA ??
09-10-2008 03:03 AM
The configuration is as follow
:
ASA Version 7.1(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address A.B.C.D
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 30.30.30.1 255.255.255.252
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 10.5.0.1 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list webserver extended permit tcp any host C.D.E.F eq ftp
pager lines 24
logging trap debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
no failover
icmp permit any outside
icmp permit any inside
icmp permit any DMZ
asdm image disk0:/asdm-512.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (DMZ) 1 interface
nat (inside) 1 30.30.30.0 255.255.255.252
static (DMZ,outside) C.D.E.F 10.5.0.5 netmask 255.255.255.255
static (DMZ,inside) C.D.E.F 10.5.0.5 netmask 255.255.255.255
access-group webserver in interface outside
route outside 0.0.0.0 0.0.0.0 221.120.214.1 1
route inside 192.168.0.0 255.255.240.0 30.30.30.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 30.30.30.2 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:a648fc19e2c8d7bcf4abdde0f1ee8725
: end
09-10-2008 03:46 AM
Remove
"global (DMZ) 1 interface " statement
And add below statement
" static ( inside , dmz ) 30.30.30.0 30.30.30.0 netmask 255.255.255.252"
This should work..
09-10-2008 03:52 AM
hi,
when i remove global(DMZ) 1 interface statement, my ftp from inside network stops working.
Thanks
09-10-2008 04:17 AM
OK!!! now
1.Are you able to access internet.
2.Are you able to access ftp from outside ??
3.Are you able to access ftp from inside with public IP Address ??
4.Are you able to access ftp from inside with private IP Address ??
Let me know on this
09-10-2008 08:51 PM
hi,
with this configuration, as you told me.
access-list webserver extended permit tcp any host a.b.c.d eq ftp
global (outside) 1 interface
nat (inside) 1 30.30.30.0 255.255.255.252
static (DMZ,outside) a.b.c.d 10.5.0.5 netmask 255.255.255.255
static (inside,DMZ) 30.30.30.0 30.30.30.0 netmask 255.255.255.252
static (DMZ,inside) a.b.c.d 10.5.0.5 netmask 255.255.255.255
access-group webserver in interface outside
route outside 0.0.0.0 0.0.0.0 e.f.g.h 1
route inside 192.168.0.0 255.255.240.0 30.30.30.2 1
i can now
1. able to access internet
2. able to ftp from outside.
3. able to access ftp from inside with public address.
4. not able to access ftp from inside with private ip address
09-10-2008 11:52 PM
I am not sure , but try removing below statement.!!!
static (DMZ,inside) a.b.c.d 10.5.0.5 netmask 255.255.255.255
09-11-2008 12:06 AM
hi,
when i remove
static (DMZ,inside) a.b.c.d 10.5.0.5 netmask 255.255.255.255
i can access ftp with private ip address and cannot access ftp with its public ip address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide