Firewall FTP Problem

Unanswered Question
Feb 9th, 2010

i have firewall ASA 8.0(4). My FTP server is located in DMZ side and one FTP server is located on inside network.  DMZ Inside

From DMZ I can do the FTP and everything but from inside I am not able to do the FTP to DMZ server. Though Ping and remote

desktop i can do.

Below is the configuration of my firewall.

interface GigabitEthernet0/1
mac-address 000c.f542.4abc standby 020c.f542.4abc
nameif inside
security-level 100
ip address standby
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
interface GigabitEthernet0/3.1
mac-address 000c.f342.4abc standby 020c.f342.4abc
nameif serverdmz
security-level 90
ip address standby

access-list acl-in extended permit ip host any

static (inside,serverdmz) netmask

access-list acl-serverdmz extended permit ip host any

access-list aclnat_serverdmz extended permit ip any

nat (inside) 2 access-list aclnat_cards
nat (inside) 3 access-list aclnat_serverdmz
nat (inside) 1
nat (serverdmz) 1

global (partners) 1 netmask
global (serverdmz) 1
global (serverdmz) 3 interface
global (cardsdmz) 2 interface

ENOCDC-FW01/Rack1# show conn address
1933 in use, 15723 most used
TCP serverdmz inside, idle 0:00:31, bytes 1798427, flags UIO

from dmz to inside everything is working fine but from inside I am not able to do the FTP on DMZ server. though the FTP server is working fine locally.

Please help me out how to find a solution for this.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sachinraja Tue, 02/09/2010 - 08:52

Hi Wasim

Is the FTP server in DMZ ? Are you accessing it from or any other PC from the inside network ? I see the ACL

access-list acl-in extended permit ip host any

This will allow only traffic from to go from inside interface.. If you are trying to FTP from any other IP you might need to add another ACL similar to the one below

access-list acl-in extended permit tcp host eq ftp

or you can probably allow ip from to (for testing)

You might also need to build a static entry for the FTP server to inside , just as the way you did for the inside FTP server

static (serverdmz,inside) netmask

or you can also define a nat 0 for traffic going from inside network to the DMZ segment

nat (inside) 0 access-list 111

access-list 111 permit ip

You would be able to access the FTP server once you make these changes

Hope this helps.. all the best



This Discussion