ASA DMZ configuration issue

Unanswered Question
Sep 17th, 2010
User Badges:

Good afternoon experts - I am in need of a quick resolution to what I am sure is a fairly standard configuration issue.


Description:  we need to configure a DMZ on an ASA for an FTP server with a public IP address.  Outside partners need to send files to this FTP server.  We then need to have these files transferred internally to a file server.


Problem:  outside partners are able to send the files to the FTP server in the DMZ, but we cannot retrieve them from the internal file server through the ASA.


Relevant configuration:

interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 205.x.y.z 255.255.255.248
!
interface GigabitEthernet0/1
nameif INSIDE (IP address of internal file server is 192.168.x.x)
security-level 100
ip address 10.x.x.x 255.255.255.0
!
interface GigabitEthernet0/2
description DMZ IP (IP address of FTP server 198.d.e.25)
nameif DMZ
security-level 50
ip address 198.d.e.30 255.255.255.248
!


NAT contains this:

nat (INSIDE) 0 access-list NO-NAT

access-list NO-NAT line 153 extended permit ip host 192.168.x.x host 198.d.e.25
nat (DMZ) 0 access-list NO-NAT-DMZ
access-list NO-NAT-DMZ line 1 remark Allow traffic from SFTP server to Corp-Server
access-list NO-NAT-DMZ line 2 extended permit ip host 198.d.e.25 host 192.168.x.x


There are no access-group rules applied to INSIDE or DMZ interfaces.


What is missing, or misconfigured?  Your input is greatly appreciated.


Thanks, Patrick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Fri, 09/17/2010 - 12:01
User Badges:
  • Green, 3000 points or more

Many many ways to do it.

But for example if you need from the internal network to reach the DMZ, can try this:


nat (inside) 1 10.x.x.x. 255.255.255.0

global (DMZ) 1 interface


Federico.

Sharkey13 Fri, 09/17/2010 - 12:36
User Badges:

Federico - thanks for the reply, but I have one question - why would I want the "nat (inside) 1 10.x.x.x. " command to reference the 10.x.x.x - the IP address of the interface, and not the internal file server?


Thanks, Patrick

Federico Coto F... Fri, 09/17/2010 - 12:47
User Badges:
  • Green, 3000 points or more

If you need to access the FTP server (on the DMZ) from the inside network, that's what you need (we can restrict it to be from a single server).


If on the other hand, you need the FTP server to initiate a connection to the inside server, then you will need a static NAT and an ACL.


Federico.

roger-jonsson Fri, 09/17/2010 - 14:01
User Badges:

In addition to the static/global commands and access-list.

You need a Security Plus License to do this. The Base license only allow two regular zones (inside, outside) and och restricted zone(dmz) which ONLY can communicate to a zone with lower security level(outside). Run show ver command and check the license.


// Roger

Sharkey13 Fri, 09/17/2010 - 14:17
User Badges:

Federico, Roger - thanks for the replies.


Turns out there was an issue with the FTP authentication, not a DMZ config issue.


ASA DMZ config worked as posted.


Thanks again.  Patrick

Actions

This Discussion