09-17-2010 11:41 AM - edited 03-11-2019 11:41 AM
Good afternoon experts - I am in need of a quick resolution to what I am sure is a fairly standard configuration issue.
Description: we need to configure a DMZ on an ASA for an FTP server with a public IP address. Outside partners need to send files to this FTP server. We then need to have these files transferred internally to a file server.
Problem: outside partners are able to send the files to the FTP server in the DMZ, but we cannot retrieve them from the internal file server through the ASA.
Relevant configuration:
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 205.x.y.z 255.255.255.248
!
interface GigabitEthernet0/1
nameif INSIDE (IP address of internal file server is 192.168.x.x)
security-level 100
ip address 10.x.x.x 255.255.255.0
!
interface GigabitEthernet0/2
description DMZ IP (IP address of FTP server 198.d.e.25)
nameif DMZ
security-level 50
ip address 198.d.e.30 255.255.255.248
!
NAT contains this:
nat (INSIDE) 0 access-list NO-NAT
access-list NO-NAT line 153 extended permit ip host 192.168.x.x host 198.d.e.25
nat (DMZ) 0 access-list NO-NAT-DMZ
access-list NO-NAT-DMZ line 1 remark Allow traffic from SFTP server to Corp-Server
access-list NO-NAT-DMZ line 2 extended permit ip host 198.d.e.25 host 192.168.x.x
There are no access-group rules applied to INSIDE or DMZ interfaces.
What is missing, or misconfigured? Your input is greatly appreciated.
Thanks, Patrick
09-17-2010 12:01 PM
Many many ways to do it.
But for example if you need from the internal network to reach the DMZ, can try this:
nat (inside) 1 10.x.x.x. 255.255.255.0
global (DMZ) 1 interface
Federico.
09-17-2010 12:36 PM
Federico - thanks for the reply, but I have one question - why would I want the "nat (inside) 1 10.x.x.x. " command to reference the 10.x.x.x - the IP address of the interface, and not the internal file server?
Thanks, Patrick
09-17-2010 12:47 PM
If you need to access the FTP server (on the DMZ) from the inside network, that's what you need (we can restrict it to be from a single server).
If on the other hand, you need the FTP server to initiate a connection to the inside server, then you will need a static NAT and an ACL.
Federico.
09-17-2010 02:01 PM
In addition to the static/global commands and access-list.
You need a Security Plus License to do this. The Base license only allow two regular zones (inside, outside) and och restricted zone(dmz) which ONLY can communicate to a zone with lower security level(outside). Run show ver command and check the license.
// Roger
09-17-2010 02:17 PM
Federico, Roger - thanks for the replies.
Turns out there was an issue with the FTP authentication, not a DMZ config issue.
ASA DMZ config worked as posted.
Thanks again. Patrick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: