ASA DMZ configuration issue

Unanswered Question
Sep 17th, 2010
User Badges:

Good afternoon experts - I am in need of a quick resolution to what I am sure is a fairly standard configuration issue.

Description:  we need to configure a DMZ on an ASA for an FTP server with a public IP address.  Outside partners need to send files to this FTP server.  We then need to have these files transferred internally to a file server.

Problem:  outside partners are able to send the files to the FTP server in the DMZ, but we cannot retrieve them from the internal file server through the ASA.

Relevant configuration:

interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 205.x.y.z
interface GigabitEthernet0/1
nameif INSIDE (IP address of internal file server is 192.168.x.x)
security-level 100
ip address 10.x.x.x
interface GigabitEthernet0/2
description DMZ IP (IP address of FTP server 198.d.e.25)
nameif DMZ
security-level 50
ip address 198.d.e.30

NAT contains this:

nat (INSIDE) 0 access-list NO-NAT

access-list NO-NAT line 153 extended permit ip host 192.168.x.x host 198.d.e.25
nat (DMZ) 0 access-list NO-NAT-DMZ
access-list NO-NAT-DMZ line 1 remark Allow traffic from SFTP server to Corp-Server
access-list NO-NAT-DMZ line 2 extended permit ip host 198.d.e.25 host 192.168.x.x

There are no access-group rules applied to INSIDE or DMZ interfaces.

What is missing, or misconfigured?  Your input is greatly appreciated.

Thanks, Patrick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Fri, 09/17/2010 - 12:01
User Badges:
  • Green, 3000 points or more

Many many ways to do it.

But for example if you need from the internal network to reach the DMZ, can try this:

nat (inside) 1 10.x.x.x.

global (DMZ) 1 interface


Sharkey13 Fri, 09/17/2010 - 12:36
User Badges:

Federico - thanks for the reply, but I have one question - why would I want the "nat (inside) 1 10.x.x.x. " command to reference the 10.x.x.x - the IP address of the interface, and not the internal file server?

Thanks, Patrick

Federico Coto F... Fri, 09/17/2010 - 12:47
User Badges:
  • Green, 3000 points or more

If you need to access the FTP server (on the DMZ) from the inside network, that's what you need (we can restrict it to be from a single server).

If on the other hand, you need the FTP server to initiate a connection to the inside server, then you will need a static NAT and an ACL.


roger-jonsson Fri, 09/17/2010 - 14:01
User Badges:

In addition to the static/global commands and access-list.

You need a Security Plus License to do this. The Base license only allow two regular zones (inside, outside) and och restricted zone(dmz) which ONLY can communicate to a zone with lower security level(outside). Run show ver command and check the license.

// Roger

Sharkey13 Fri, 09/17/2010 - 14:17
User Badges:

Federico, Roger - thanks for the replies.

Turns out there was an issue with the FTP authentication, not a DMZ config issue.

ASA DMZ config worked as posted.

Thanks again.  Patrick


This Discussion