01-18-2009 05:17 AM - edited 03-11-2019 07:38 AM
Hello,
I have this configuration:
Host 172.16.1.x/24 > ASA 5510 > Router 2811 > Router 871 > ASA 5505 > Host 172.16.2.x/ 24.
I have add an FTP serve on port 2 of ASA 5510 with the ip address 172.16.0.2/252.
I need to know how tho configure the access on the FTP server.
I have configured ASA5510 and ASA5502 like that but the host 172.16.2.x/24 cannot access to the FTP server.
ASA5510:
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp host 10.52.72.135 172.16.1.0 255.255.255.0
access-list outside_access_in extended permit ip host 172.16.2.2 172.16.1.0 255.255.255.0
access-list outside_access_in extended permit ip host 172.16.0.6 172.16.1.0 255.255.255.0
access-list outside_access_in extended permit icmp host 172.16.2.0 172.16.1.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 172.16.0.2 eq ftp
access-list outside_access_in extended permit tcp any host 172.16.0.2 eq ftp-data
access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 10.52.72.128 255.255.255.192
access-list inside_nat0_outbound
extended permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 172.16.0.4 255.255.255.252
access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.252 172.16.2.0 255.255.255.0
nat-control
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.16.1.0 255.255.255.0
static (DMZ,outside) 172.16.2.2 172.16.0.2 netmask 255.255.255.255
access-group outside_access_in in interface outside
ASA 5505:
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp host 172.16.0.5 172.16.2.0 255.255.255.0
access-list outside_access_in extended permit icmp host 172.16.1.2 172.16.2.0 255.255.255.0
access-list outside_access_in extended permit ip host 172.16.1.2 172.16.2.0 255.255.255.0
access-list outside_access_in extended permit ip host 10.52.69.120 172.16.2.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit ip host 172.16.0.2 172.16.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 172.16.0.4 255.255.255.252
access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 10.52.69.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 172.16.0.0 255.255.255.252
nat-control
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 172.16.2.0 255.255.255.0
access-group outside_access_in in interface outside
Regards
Solved! Go to Solution.
01-19-2009 02:13 AM
Hi,
Please try to access the FTP server 172.16.0.2 from 172.16.2.0/24 network after the static NAT in ASA5510 'static (DMZ,outside) 172.16.2.2 172.16.0.2 netmask 55.255.255.255'is removed.
Bcoz this static NAT is coming in the flow unnecessarily
Regards
01-18-2009 10:14 PM
Hi Malliot
Have configured any tunnel between both the site? if yes please post the conf. of that as well
Regards
Jithesh
01-18-2009 11:16 PM
Hi jetheshkjoy
I have a tunnel between my router 2811 and 871.
I post my conf in few minute.
But the ASA5510 receive this message when I try to connect on FTP server.
%ASA-3-305005: No translation group found for tcp src outside:172.16.2.2/1106 ds
t DMZ:172.16.0.2/21
%ASA-3-305005: No translation group found for tcp src outside:172.16.2.2/1106 ds
t DMZ:172.16.0.2/21
Regards
01-19-2009 02:13 AM
Hi,
Please try to access the FTP server 172.16.0.2 from 172.16.2.0/24 network after the static NAT in ASA5510 'static (DMZ,outside) 172.16.2.2 172.16.0.2 netmask 55.255.255.255'is removed.
Bcoz this static NAT is coming in the flow unnecessarily
Regards
01-21-2009 04:26 AM
Hi
Is the issue resolved??
Regards
Jithesh
01-21-2009 05:21 AM
Yes, thank you Jithesh
01-21-2009 08:41 PM
It is my pleasure.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: