FTPserver in DMZ + Dual ISP

Answered Question
Aug 13th, 2010
User Badges:

Hi Guys,


I'm trying for the last 3 days to get FTP work in my DMZ. In fact the FTPserver itself works, because i can FTP from the inside to the DMZ. But from the Outside to the DMZ i don't get it working.


The situation:


See the network diagram for details.

ASAnetwork.jpg

2x ASA5505 in Active/Standby

5 interfaces: Inside, Outside, Backup and DMZ, Managment

ISP A is tracked, if it goes down automaticly switchover to ISP B.

Two different public IP addresses: ISP A = 1.1.1.x / 29 ISP B = 2.2.2.x / 29. So with each ISP we have about 5 or 6 public IP addresses.

DMZ = 192.168.253.0 /24 DMZ interface = 192.168.253.1 FTT = 192.168.253.2


The problem:

The FTP server in the DMZ is not accessible from the internet. ASDM's Packet Tracer keeps dropping at the NAT rule.

From the DMZ to the outside everything is passing, according to Packet Tracer. Also from the Inside to the DMZ i can ftp.


Another question:

We have two different public IP ranges. Our customers reach the ftp by DNS name: ftp.company.com

How can i achive that the FTPserver is still accessible when our primary ISP fails, and the routing occurs via ISP B (= other public ip range). Something with DNS?


Below is the (sanetized) config (sensitive info is deleted):


ASA Version 7.2(4) 
!
hostname PK1-FW1
domain-name default.domain.invalid
enable password 7eiKHCMaZZwOv/Ls encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Vlan1
 description Connected to internal LAN
 nameif inside
 security-level 100
 ip address 192.168.254.2 255.255.255.0 standby 192.168.254.3 
!
interface Vlan2
 description Connected to primary ISP
 nameif outside
 security-level 0
 ip address 1.1.1.2 255.255.255.252 
!
interface Vlan3
 description Connected to backup ISP
 nameif backup
 security-level 0
 ip address 2.2.2.2 255.255.255.248 
!
interface Vlan4
 description For management purposes only!
 nameif Management
 security-level 100
 ip address 192.168.4.5 255.255.255.0 standby 192.168.4.6 
 management-only
!
interface Vlan253
 nameif DMZ
 security-level 50
 ip address 192.168.253.1 255.255.255.0 
!
interface Vlan255
 description LAN Failover Interface
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
 switchport access vlan 253
!
interface Ethernet0/4
 switchport access vlan 4
!
interface Ethernet0/5
 switchport access vlan 255
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group network Department_Vlans
 description Vlans per department
object-group network Allowed_FTP
 description Clients/Departments allowed to use FTP
object-group service Allowed_Protocols tcp
 description group of allowed protocols
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
 group-object Allowed_Protocols
object-group service DM_INLINE_TCP_2 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group service Allow_SVN tcp-udp
 port-object eq 888
object-group service TCP_Allow_Filesharing_Inside-DMZ tcp
 port-object eq 135
 port-object eq 445
 port-object eq netbios-ssn
object-group service UDP_Allow_Filesharing_Inside-DMZ udp
 port-object eq netbios-ns
object-group service DM_INLINE_TCP_3 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group service Allow_FileSharing_FTP01 tcp-udp
 port-object eq 135
 port-object eq 137
 port-object eq 139
 port-object eq 445
object-group service Allowed_FTP01_Protocols tcp
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
 port-object eq domain
object-group service Allow_FTP tcp
 port-object eq ftp
 port-object eq ftp-data
object-group network DM_INLINE_NETWORK_1
 network-object Servers 255.255.255.0
 network-object ICT 255.255.255.0
access-list backup_access_in extended permit icmp any any echo-reply 
access-list backup_access_in extended permit object-group TCPUDP any interface backup object-group Allow_SVN 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside_access_in extended permit object-group TCPUDP any interface outside object-group Allow_SVN 
access-list outside_access_in extended permit tcp any host FTP01 object-group DM_INLINE_TCP_3 
access-list inside_access_in extended permit object-group TCPUDP any any eq domain 
access-list inside_access_in extended deny ip Productie-No-Internet 255.255.255.0 any 
access-list inside_access_in extended permit ip object-group Migration_group any 
access-list inside_access_in extended permit tcp Servers 255.255.255.0 any eq smtp 
access-list inside_access_in extended deny tcp Servers 255.255.255.0 any eq smtp 
access-list inside_access_in extended permit ip Servers 255.255.255.0 any 
access-list inside_access_in extended permit tcp object-group Department_Vlans any object-group Allowed_Protocols 
access-list inside_access_in extended permit tcp object-group Allowed_FTP any object-group DM_INLINE_TCP_2 
access-list inside_access_in extended permit tcp any any object-group bittorrent 
access-list 110 extended permit ip Default_Vlan 255.255.0.0 192.168.253.0 255.255.255.0 
access-list DMZ_access_in extended permit ip any any 
access-list DMZ_access_in extended permit icmp any any echo 
access-list DMZ_access_in extended permit tcp any any object-group Allowed_FTP01_Protocols 
access-list DMZ_access_in extended permit object-group TCPUDP host FTP01 object-group DM_INLINE_NETWORK_1 object-group Allow_FileSharing_FTP01 
access-list OUTSIDE_IN extended permit tcp any host FTP01 object-group Allow_FTP 
access-list OUTSIDE_IN extended permit icmp any any echo-reply 
access-list OUTSIDE_IN extended permit object-group TCPUDP any interface outside object-group Allow_SVN 
pager lines 24
logging enable
logging list test level notifications
logging buffered warnings
logging asdm warnings
mtu inside 1500
mtu outside 1500
mtu backup 1500
mtu Management 1500
mtu DMZ 1500
ip verify reverse-path interface inside
ip verify reverse-path interface Management
ip audit name Attack attack action alarm
ip audit name Info info action alarm
ip audit interface inside Info
ip audit interface inside Attack
ip audit interface outside Info
ip audit interface outside Attack
ip audit interface backup Info
ip audit interface backup Attack
ip audit interface DMZ Info
ip audit interface DMZ Attack
failover
failover lan unit secondary
failover lan interface failover Vlan255
failover polltime unit 1 holdtime 3
failover polltime interface 1 holdtime 5
failover interface ip failover 192.168.255.1 255.255.255.252 standby 192.168.255.2
monitor-interface inside
monitor-interface outside
monitor-interface backup
monitor-interface Management
monitor-interface DMZ
icmp unreachable rate-limit 10 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 0 access-list 110
nat (inside) 1 Default_Vlan 255.255.0.0 dns
nat (DMZ) 1 192.168.253.0 255.255.255.0
static (inside,outside) tcp interface 888 192.168.0.194 888 netmask 255.255.255.255  dns 
static (inside,backup) tcp interface 888 192.168.0.194 888 netmask 255.255.255.255  dns 
static (inside,backup) udp interface 888 192.168.0.194 888 netmask 255.255.255.255  dns 
static (inside,outside) udp interface 888 192.168.0.194 888 netmask 255.255.255.255  dns 
static (DMZ,outside) tcp interface ftp FTP01 ftp netmask 255.255.255.255  dns 
static (DMZ,outside) tcp interface ftp-data FTP01 ftp-data netmask 255.255.255.255  dns 
access-group inside_access_in in interface inside
access-group OUTSIDE_IN in interface outside
access-group backup_access_in in interface backup
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 213.125.16.81 1 track 1
route backup 0.0.0.0 0.0.0.0 188.201.212.129 254
!
router rip
 network 192.168.254.0
 passive-interface outside
 passive-interface backup
 passive-interface Management
 passive-interface DMZ
 default-information originate
 version 2
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.4.0 255.255.255.0 Management
http ICT 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
fragment chain 1 inside
fragment chain 1 outside
fragment chain 1 backup
fragment chain 1 Management
fragment chain 1 DMZ
sla monitor 123
 type echo protocol ipIcmpEcho 213.51.160.52 interface outside
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
service resetoutside
crypto ipsec transform-set TRANS_ESP_AES-256_SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_AES-256_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_AES-256_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
!
track 1 rtr 123 reachability
telnet timeout 5
ssh ICT 255.255.255.0 inside
ssh 192.168.4.0 255.255.255.0 Management
ssh timeout 5
ssh version 2
console timeout 0
management-access Management
ntp server 193.67.79.202 prefer
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
  id-randomization
  id-mismatch action log
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:0289a7cab68afeb8fde4d99723647e99
: end


Thanks in advance.

Correct Answer by Nagaraja Thanthry about 6 years 7 months ago

Hello,


Please try the following:


Assume that the free IP is 1.1.1.3


static (DMZ,outside) 1.1.1.3 FTP01 netmask 255.255.255.255 dns


With regard to your problem of manual failover, the issue is with the ISP's

not allowing traffic sourced from IP that does not belong to their IP range.

They will not be advertising each other's subnets, so when your primary goes

down, the subnet belonging to your primary ISP will be down. Most common

practice is to modify the DNS entry (or add dual DNS entries to the same

server). I would suggest you to work with your DNS people to ensure that

they track the primary IP and when the primary IP is not reachable, they

report the secondary IP.


Hope this helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Nagaraja Thanthry Fri, 08/13/2010 - 06:29
User Badges:
  • Cisco Employee,

Hello,


From your configuration, it seems like you have mapped the FTP server to

your interface IP. This configuration is supported as long as the client and

server communicate via Active FTP mode. When the FTP mode is passive, the

client opens the connections. The data port is not fixed to 20. Instead, the

server opens up a port greater than 1023 and sends that information to the

client. If you do not have a translation for that port, the firewall cannot

forward requests coming onto that port on the outside interface to the

inside server. Can you please try the following:


no static (DMZ,outside) tcp interface ftp FTP01 ftp netmask 255.255.255.255

dns

no static (DMZ,outside) tcp interface ftp-data FTP01 ftp-data netmask

255.255.255.255 dns


static (DMZ,outside) ftp FTP01 netmask 255.255.255.255

dns


This should map all the ports of that public IP to the FTP server. With

regard to your second question about secondary ISP and access to the FTP

server, you are right. You need to work with the DNS and make changes to the

DNS.


Hope this helps.


Regards,


NT

RoelBeelen Fri, 08/13/2010 - 07:29
User Badges:

Hi NT,


Thanks for your answer, but it's not working. As i copy past your command then i get a syntax error. If i replace the command with:


static (DMZ,outside) FTP01 netmask 255.255.255.255 dns


then i get: ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address


ASA's can be complex........


Regarding the FTP and DNS question:


each time the primary line fails i've to edit our A record on the ISP's DNS server. besides it, mostly it takes one to two days to replicate DNS.

I need a solution that automaticly reroutes the traffic.

We've some spare public ip addresses available from both ISP's. Only the ranges are different. if i could configure tha ASA such way that i map a spare public ip (for example from ISP A 1.1.1.3) to our ftp server, and is reachable independendly what ISP is active at that moment.

Correct Answer
Nagaraja Thanthry Fri, 08/13/2010 - 13:25
User Badges:
  • Cisco Employee,

Hello,


Please try the following:


Assume that the free IP is 1.1.1.3


static (DMZ,outside) 1.1.1.3 FTP01 netmask 255.255.255.255 dns


With regard to your problem of manual failover, the issue is with the ISP's

not allowing traffic sourced from IP that does not belong to their IP range.

They will not be advertising each other's subnets, so when your primary goes

down, the subnet belonging to your primary ISP will be down. Most common

practice is to modify the DNS entry (or add dual DNS entries to the same

server). I would suggest you to work with your DNS people to ensure that

they track the primary IP and when the primary IP is not reachable, they

report the secondary IP.


Hope this helps.


Regards,


NT

RoelBeelen Sun, 08/15/2010 - 03:30
User Badges:

Hi NT,


Thanks for the reply. i've had tried the command you suggested already before, but it didn't work. But i got an idea.


When you look in the config by vlan 2 (outsite) you see the following:


interface Vlan2
description Connected to primary ISP
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.252

i've specified a /30 subnetmask for peer to peer communication with the modem. When i change the subnetmask into /29 (as we have got 5 public IP's from our ISP) the 1.1.1.3 or 4 or 5 address is recognised as part of the range, though?


maybe then i get resonse when i FTP to new public ip address. I will try it tomorrow when i got to work.

RoelBeelen Mon, 08/16/2010 - 00:13
User Badges:

Goodmorning NT and others,


this morning i change the outside interfaces' subnetmask from 252 to 248, so that the available public IP addresses are within the range.

After that i gave the command static (DMZ,outside) 1.1.1.3 FTP01 netmask 255.255.255.255 dns


The command is accepted but the FTP server still isn't reachable. When i test with the Packet Tracer, it keeps failing with NAT. Is my ASA config wrong or so?


I've attached a screenshot of Packet Tracer.


I don't know what to do to get it working. Can it be that hard?:P


About the DNS story:


I'm the only network administrator at the company (were're fairly small with 100 desktops) So i guess i have to contact our ISP's to discuss our needs.


PS: I've edited the outside IP's for security reasons;)

Attachment: 
praprama Mon, 08/16/2010 - 05:18
User Badges:
  • Cisco Employee,

Hi Roel,


The reason why you are seeing the packet-tracer fail is because you have specified the destination IP address as 192.168.253.2 which is the real IP of the FTP server. Try specifying it as 1.1.1.3 which is the translated IP address of the FTP server on the outside which will also be the IP address the users will try to access from the internet.



With regards to why the users are not able to FTP into the server, are the users using "Active" or "Passive" FTP for the same? Please enable logging on the ASA and get the logs when a user tries to access the FTP server as well. That way we can see if there are any drops by the ASA.


All the best!


Regards,

Prapanch

RoelBeelen Mon, 08/16/2010 - 05:53
User Badges:

Hi PR,


Thanks for the reply. I've tested your suggestion with Packet Tracer, and indeed the packet comes through!. But i can't reach the ftp server yet.

When i ftp from the inside to DMZ, i see PASV commands passing, so i use passive FTP.


Also i've configured an inspect map for ftp like this:


class-map inspection_default
match default-inspection-traffic


policy-map global_policy
class inspection_default
  inspect ftp


service-policy global_policy global


Also in the FTP server i specified the port range for passive ftp: 15000 - 15500.

praprama Mon, 08/16/2010 - 06:05
User Badges:
  • Cisco Employee,

I suggest we do a couple of things here.


1> Enable buffered logging on the ASA and get those logs when trying to access the FTP server.


logging enable

logging buffered debugging


2> When a user tries to access the FTP server, get the set messages that we see on the server with regards to that particular connection.


Also, if possible, we can apply captures on the ASA on both the outside and DMZ interfaces and get those in a .pcap format for detailed analysis.


http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml


Thanks and Regards,

Prapanch

RoelBeelen Mon, 08/16/2010 - 06:49
User Badges:

i turned on logging as you said. Regarding connecting users:

When i FTP from inside to DMZ i can see activity at the FTP server's log.

But when i try to connect from outside to DMZ, nothing happens on the ftp server. It seems that the outside connection doesn't come that far.

On the clientside i get an ETIMEDOUT - Connection attempt timed out.


To capture traffic, i have to upgrade my ASA and ASDM software first. I plan it for this evening. In the mean time, i've turned on logging. where can i view my loggings?


I'm quite familiar with Cisco products, but not with ASA's.....

praprama Mon, 08/16/2010 - 07:47
User Badges:
  • Cisco Employee,

Hi,


You should be able to see the logs by giving "show logg". Also, captures should be available on version 7.2(4) which I assume is the one you are running based on the running-config initially attached.


I apologize as i skipped this detail before but i think the problem could be with the access-list on the outside interface of your ASA:


access-list OUTSIDE_IN extended permit tcp any host FTP01 object-group Allow_FTP 
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit object-group TCPUDP any interface outside object-group Allow_SVN

We have allowed traffic to the real IP of the server 192.168.253.2. on the 1st line. Try modifying it ot the translated IP of 1.1.1.3 as below. We should be
good to go then:

access-list OUTSIDE_IN extended permit tcp any host 1.1.1.3

All the best!!

Thanks and Regards,
Prapanch

RoelBeelen Mon, 08/16/2010 - 08:19
User Badges:

Hi PR,


Thanks for the reply. Regarding the last command, also that doesn't turn things...

I've place the rule first in row, but nothing seems to happen.


Also isn't it a huge security risk to allow the full TCP stack on the outside?


About the capure feature in ASDM, i don't see such function in the Tools menu. Also when i click on the menu Wizard, the Startup wizard and High Availablity Wizard doesn't function. i can click on it thousand times but nothing happend. Now i don't need those functions as i've already configured those via the CLI.


But i can't stay forever on 5.2 though...:P

praprama Mon, 08/16/2010 - 08:25
User Badges:
  • Cisco Employee,

Are you seeing hit counts on the access-list using "show access-list OUTSIDE_IN" when trying to connect from the client to the server? I suggest getting the captures in addition to this for analysis.


"Also isn't it a huge security risk to allow the full TCP stack on the  outside?"


Yes it is a risk and it is better to restrict it to just the necessary ports. I had given that one just as an example.


Regards,

Prapanch

RoelBeelen Mon, 08/16/2010 - 10:28
User Badges:

I've upgraded the ASA software and ASDM software. Everything went smooth.

I'll come back tomorrow with capture results.


As for now, the Access list doesn't show any hits... hmm. Are my interfaces wrong configured???

praprama Mon, 08/16/2010 - 17:25
User Badges:
  • Cisco Employee,

Hmmm.. If you aren't seeing hit counts, then the packets may not even be reaching your firewall. Captures sohuld confirm that if that indeed is the case.

RoelBeelen Tue, 08/17/2010 - 03:00
User Badges:

Hi everyone,


Guess what, It works! i can reach the FTP server. All the ftp tests i did, i did them from the internal LAN. my thoughts were that when i ftp to the outside address, the packets also are delivered on the outside address. But it seems not true.


Anyway, i connected a lapto directly to the modem of our backup internet line, and i could reach the FTP server at the outside address i specified.


The only challange i have now is to get the traffic routed to the static public IP of the ftp server (spare address of the primary ISP), also when the primary line is down.


I guess i got to call both ISP's...


Anyway, thanks for all the help and replies!

praprama Tue, 08/17/2010 - 07:55
User Badges:
  • Cisco Employee,

Hey,


Great to hear that! The fact that you were trying to access the FTP server from the LAN using the Public IP explains why you were facing those problems. Well, if you really need that, then you will need U-turning configured on the ASA:


static (dmz,inside) 1.1.1.3 192.168.253.2


All the best in the future!!


Thanks and Regards,

Prapanch

RoelBeelen Tue, 08/17/2010 - 08:30
User Badges:

Hey,


To make the FTP server accessible via the backup line, i've made the same settings i did with the primairy line. the only difference is that i applied the ACL to the backup interface, and the NAT rule i specified with another spare public IP, from the other ISP. After disabling the primairy line, all traffic goes via the backup line, but the ftp server isn't reachable...


Also the ACL doesn't show any hits.


I've to go now. Tomorrow is another day:)

praprama Tue, 08/17/2010 - 08:44
User Badges:
  • Cisco Employee,

Hi,


Just to clarify one thing here. So originally when traffic passes thro the primary line, the DNS resolves to the IP address 1.1.1.3. Now assuming on the backup line we have the public IP as 2.2.2.3 for the FTP server, then does the DNS also reflect this change when the backup line becomes active?


Regards,

Prapanch

RoelBeelen Wed, 08/18/2010 - 00:17
User Badges:

At this stage i don't use dns. I connect to the public ip address of the ftp server.

When everything works as it should, then i make two A-records on the DNS servers of the hosting company where our domains are hosted, each with one of the public IP adresses of the ftp server. According to the an engineer of the hosting company. He thinks that this is the only way to make it sort of HA, but he never had done it this way, with two host records.


Another question:


I've configured dual ISP on our ASA's:


http://www.cisco.com/warp/public/110/pix-dual-isp.pdf


When the primary link is active, is incoming traffic at the backup interface also accepted and routed into the asa, or how does that work?

When it's not, then the two A-records story can't work, since customers are randomly pointed to one of the two IP's

praprama Wed, 08/18/2010 - 00:31
User Badges:
  • Cisco Employee,

Hey,


> When the primary link is active, is incoming traffic at the backup  interface also accepted and routed into the asa, or how does that work?


My guess is that the ASA might actually drop packets being routed to the "backup" interface (because of reverse path lookup) or end up routing the return packets incorrectly (since the default route will be pointing out the primary interface). I have not tried this out before so i am not really sure. But the fact is that when we have  dual ISP config as the one we have here, only one link is supposed to be active and passing ttraffic at any point in time.


Regarding the DNS issue, won't it be possible to do what NT said previously (somehow track the primary IP 1.1.1.3 and when that is unreachable, failover the DNS record to 2.2.2.3)?Again, i ahve not worked with DNS servers so am not sure if such a thing is even possible.


Regards,

Prapanch

Actions

This Discussion