Hello,

I have this configuration:

Host 172.16.1.x/24 > ASA 5510 > Router 2811 > Router 871 > ASA 5505 > Host 172.16.2.x/ 24.

I have add an FTP serve on port 2 of ASA 5510 with the ip address 172.16.0.2/252.

I need to know how tho configure the access on the FTP server.

I have configured ASA5510 and ASA5502 like that but the host 172.16.2.x/24 cannot access to the FTP server.

ASA5510:

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit icmp host 10.52.72.135 172.16.1.0 255.255.255.0

access-list outside_access_in extended permit ip host 172.16.2.2 172.16.1.0 255.255.255.0

access-list outside_access_in extended permit ip host 172.16.0.6 172.16.1.0 255.255.255.0

access-list outside_access_in extended permit icmp host 172.16.2.0 172.16.1.0 255.255.255.0

access-list outside_access_in extended permit tcp any host 172.16.0.2 eq ftp

access-list outside_access_in extended permit tcp any host 172.16.0.2 eq ftp-data

access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 10.52.72.128 255.255.255.192

access-list inside_nat0_outbound

extended permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 172.16.0.4 255.255.255.252

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.252 172.16.2.0 255.255.255.0

nat-control

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.16.1.0 255.255.255.0

static (DMZ,outside) 172.16.2.2 172.16.0.2 netmask 255.255.255.255

access-group outside_access_in in interface outside

ASA 5505:

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit icmp host 172.16.0.5 172.16.2.0 255.255.255.0

access-list outside_access_in extended permit icmp host 172.16.1.2 172.16.2.0 255.255.255.0

access-list outside_access_in extended permit ip host 172.16.1.2 172.16.2.0 255.255.255.0

access-list outside_access_in extended permit ip host 10.52.69.120 172.16.2.0 255.255.255.0

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit ip host 172.16.0.2 172.16.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 172.16.0.4 255.255.255.252

access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 10.52.69.0 255.255.255.128

access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 172.16.0.0 255.255.255.252

nat-control

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.16.2.0 255.255.255.0

access-group outside_access_in in interface outside

Regards