cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
944
Views
0
Helpful
14
Replies

Basic FTP configuration in ASA

itdsmartnet
Level 1
Level 1

hi, i want to place my ftp server in DMZ and i have public ip a.b.c.d, how can i configure my ASA to have ftp access for both inside and outside users.

Thanks

1 Accepted Solution

Accepted Solutions

hi,

Use Destination NAT in this case.Add following configuration to your existing config.

static ( dmz , inside ) 192.168.1.2 172.16.1.9 netmask 255.255.255.255

Also , to make inside hosts access-internet you can add following commands if you want.

nat ( inside ) 1 10.0.0.0 255.255.255.0

global ( outside ) 1 interface

HTH...rate if helpful..

View solution in original post

14 Replies 14

satish_zanjurne
Level 4
Level 4

Hi,

Suppose your public IP Address is 192.168.1.2 & DMZ IP address is 172.16.1.9.

And inside subnet is 10.0.0.0/24

For inside to dmz access we have mapped same private address to itself using netstatic.

----------------------------------------

static ( dmz , outside ) 192.168.1.2 172.16.1.9 netmask 255.255.255.255

static ( inside , dmz ) 10.0.0.0 10.0.0.0 netmask 255.255.255.0

access-lis 100 permit tcp any 192.168.1.2 eq ftp

access-group 100 in interface outside

HTH...rate if helpful...

thanks for your reply, i have configured with the above configuration. my inside network is accessing the ftp server via DMZ ip address 172.16.1.9 but inside host were unable to access ftp via public ip.pls help in this matter.

hi,

Use Destination NAT in this case.Add following configuration to your existing config.

static ( dmz , inside ) 192.168.1.2 172.16.1.9 netmask 255.255.255.255

Also , to make inside hosts access-internet you can add following commands if you want.

nat ( inside ) 1 10.0.0.0 255.255.255.0

global ( outside ) 1 interface

HTH...rate if helpful..

thanks

but when i do the above configuration i cannot access ftp with its local ip address i.e DMZ ip address and also my internet stop browsing.

OK!!!

Remove the nat ( inside ) 1

global ( outside ) 1

statements from config..and see if browing is working or not

so how can i now access the ftp in DMZ zone with its local ip address.i can access it with its public ip now. i want to have ftp access with both its private and public ips.

Thanks

Can you attach the current config on ASA ??

The configuration is as follow

:

ASA Version 7.1(2)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address A.B.C.D

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 30.30.30.1 255.255.255.252

!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 10.5.0.1 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

interface GigabitEthernet1/0

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/3

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list webserver extended permit tcp any host C.D.E.F eq ftp

pager lines 24

logging trap debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

no failover

icmp permit any outside

icmp permit any inside

icmp permit any DMZ

asdm image disk0:/asdm-512.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (DMZ) 1 interface

nat (inside) 1 30.30.30.0 255.255.255.252

static (DMZ,outside) C.D.E.F 10.5.0.5 netmask 255.255.255.255

static (DMZ,inside) C.D.E.F 10.5.0.5 netmask 255.255.255.255

access-group webserver in interface outside

route outside 0.0.0.0 0.0.0.0 221.120.214.1 1

route inside 192.168.0.0 255.255.240.0 30.30.30.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 30.30.30.2 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

Cryptochecksum:a648fc19e2c8d7bcf4abdde0f1ee8725

: end

Remove

"global (DMZ) 1 interface " statement

And add below statement

" static ( inside , dmz ) 30.30.30.0 30.30.30.0 netmask 255.255.255.252"

This should work..

hi,

when i remove global(DMZ) 1 interface statement, my ftp from inside network stops working.

Thanks

OK!!! now

1.Are you able to access internet.

2.Are you able to access ftp from outside ??

3.Are you able to access ftp from inside with public IP Address ??

4.Are you able to access ftp from inside with private IP Address ??

Let me know on this

hi,

with this configuration, as you told me.

access-list webserver extended permit tcp any host a.b.c.d eq ftp

global (outside) 1 interface

nat (inside) 1 30.30.30.0 255.255.255.252

static (DMZ,outside) a.b.c.d 10.5.0.5 netmask 255.255.255.255

static (inside,DMZ) 30.30.30.0 30.30.30.0 netmask 255.255.255.252

static (DMZ,inside) a.b.c.d 10.5.0.5 netmask 255.255.255.255

access-group webserver in interface outside

route outside 0.0.0.0 0.0.0.0 e.f.g.h 1

route inside 192.168.0.0 255.255.240.0 30.30.30.2 1

i can now

1. able to access internet

2. able to ftp from outside.

3. able to access ftp from inside with public address.

4. not able to access ftp from inside with private ip address

I am not sure , but try removing below statement.!!!

static (DMZ,inside) a.b.c.d 10.5.0.5 netmask 255.255.255.255

hi,

when i remove

static (DMZ,inside) a.b.c.d 10.5.0.5 netmask 255.255.255.255

i can access ftp with private ip address and cannot access ftp with its public ip address.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco