DMZ FTP server

Answered Question
Jan 18th, 2009

Hello,

I have this configuration:

Host 172.16.1.x/24 > ASA 5510 > Router 2811 > Router 871 > ASA 5505 > Host 172.16.2.x/ 24.

I have add an FTP serve on port 2 of ASA 5510 with the ip address 172.16.0.2/252.

I need to know how tho configure the access on the FTP server.

I have configured ASA5510 and ASA5502 like that but the host 172.16.2.x/24 cannot access to the FTP server.

ASA5510:

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit icmp host 10.52.72.135 172.16.1.0 255.255.255.0

access-list outside_access_in extended permit ip host 172.16.2.2 172.16.1.0 255.255.255.0

access-list outside_access_in extended permit ip host 172.16.0.6 172.16.1.0 255.255.255.0

access-list outside_access_in extended permit icmp host 172.16.2.0 172.16.1.0 255.255.255.0

access-list outside_access_in extended permit tcp any host 172.16.0.2 eq ftp

access-list outside_access_in extended permit tcp any host 172.16.0.2 eq ftp-data

access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 10.52.72.128 255.255.255.192

access-list inside_nat0_outbound

extended permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 172.16.0.4 255.255.255.252

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.252 172.16.2.0 255.255.255.0

nat-control

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.16.1.0 255.255.255.0

static (DMZ,outside) 172.16.2.2 172.16.0.2 netmask 255.255.255.255

access-group outside_access_in in interface outside

ASA 5505:

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit icmp host 172.16.0.5 172.16.2.0 255.255.255.0

access-list outside_access_in extended permit icmp host 172.16.1.2 172.16.2.0 255.255.255.0

access-list outside_access_in extended permit ip host 172.16.1.2 172.16.2.0 255.255.255.0

access-list outside_access_in extended permit ip host 10.52.69.120 172.16.2.0 255.255.255.0

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit ip host 172.16.0.2 172.16.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 172.16.0.4 255.255.255.252

access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 10.52.69.0 255.255.255.128

access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 172.16.0.0 255.255.255.252

nat-control

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.16.2.0 255.255.255.0

access-group outside_access_in in interface outside

Regards

I have this problem too.
0 votes
Correct Answer by Jithesh K Joy about 7 years 10 months ago

Hi,

Please try to access the FTP server 172.16.0.2 from 172.16.2.0/24 network after the static NAT in ASA5510 'static (DMZ,outside) 172.16.2.2 172.16.0.2 netmask 55.255.255.255'is removed.

Bcoz this static NAT is coming in the flow unnecessarily

Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jithesh K Joy Sun, 01/18/2009 - 22:14

Hi Malliot

Have configured any tunnel between both the site? if yes please post the conf. of that as well

Regards

Jithesh

p.maillot Sun, 01/18/2009 - 23:16

Hi jetheshkjoy

I have a tunnel between my router 2811 and 871.

I post my conf in few minute.

But the ASA5510 receive this message when I try to connect on FTP server.

%ASA-3-305005: No translation group found for tcp src outside:172.16.2.2/1106 ds

t DMZ:172.16.0.2/21

%ASA-3-305005: No translation group found for tcp src outside:172.16.2.2/1106 ds

t DMZ:172.16.0.2/21

Regards

Correct Answer
Jithesh K Joy Mon, 01/19/2009 - 02:13

Hi,

Please try to access the FTP server 172.16.0.2 from 172.16.2.0/24 network after the static NAT in ASA5510 'static (DMZ,outside) 172.16.2.2 172.16.0.2 netmask 55.255.255.255'is removed.

Bcoz this static NAT is coming in the flow unnecessarily

Regards

Actions

This Discussion