cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4297
Views
0
Helpful
27
Replies

FTP

Lewis_Cipher
Level 1
Level 1

I am trying to NAT my FTP to the outside.  I can't get to that IP.  Am I missing something?  I have FTP allowed in access rules.

For NAT

static NAT

inside  - to the internal IP

Outside - external IP

I can ping the server from firewall internally.  What else can I do to test?

1 Accepted Solution

Accepted Solutions

I don't think the problem is with the inspect. The FTP FEAT command is entered succesfully but the responses a

re not. You can check the show service-policy and check if the inspect ftp has drops:

ASA-1# sh service-policy

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: ftp, packet 672, drop 0, reset-drop 0

View solution in original post

27 Replies 27

are you trying a static NAT for your FTP server?

For example:

FTP 192.168.1.10

NATed IP 66.12.66.10

stat (inside,outside) 66.12.66.10 192.168.1.10

Is that what you are trying?

yes, do I have all the info correct?

if you have a similar static NAT it seems correct. Are there any ACLs on the inside interface that could prevent the traffic from going out. Is the NATed IP on your range of outside IPs?

If you can send the config it would be great.

sent via private message....

thanks for the config. If you are trying to allow FTP traffic from the outside to the inside it won't work since you are denying the traffic in the first two lines of your access-l outside_access_in.

Is this the test that you are trying? FTP to the SGA_Website_NAT address coming from the outside?

Hey Paul,

The Deny is on purpose unti l can get it to work I have it on deny.  Yes the NAT is SGA_Website_NAT.  It is called website becasue we got rid of that and I changed the nat for our FTP server now.  I can get to the website internally, but not externally, when I try the NAT ip address on the outside...

do you see hitcounts on the ACL after the testing? If there are not hitcounts that means that the traffic is not getting to your ASA.

It is weird becasue I do see hit counts, but can't get to address.

Your FTP server has a default gateway? It should be your ASA 10.1.101.1. Make sure the FTP service is up.

I can get to the FTP Internally, I can ping the FTP from the ASA.  I can't get the external IP to hit the internal via the internet.  This one is bugging me.  I run a packet trace from the External IP to the ASA and the packet succeeds.  The Gateway of the FTP is the ASA IP.  The services are running because I can get the FTP site in the DMZ zone.  Any othe ideas?

do you have any other filtering device such as an IPS?

We could set some captures on the ASA inside interface to see if the packet returns to the ASA and how it returns.

I am getting a failure when packet tracing from ASA to the FTP server on inside interface.  Do I need to allow this internally...  Any Less secure networks are allowed IP...

if the traffic is coming from outside to inside you just need the ACLs on the outside. Also make sure you have the inspect ftp on your policy map

Inspect FTP on Policy Map?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: