10-23-2013 09:13 AM - edited 03-11-2019 07:55 PM
Hi All,
first time posting.
so my goal is to have an FTP Server on the DMZ and be able to access it using the outside interface (which is currently just configured as 10.2.2.2) I tried adding the NAT rule using asdm and CLI but it won't take. What am I missing that i can't NAT
static (dmz, outside) tcp interface 21 172.20.10.5 21 netmask 255.255.255.255 tcp 0 0 udp 0
here is the current config
Thanks
ASA Version 8.2(1)
!
!
interface Ethernet0/0
nameif outside
security-level 0
no ip address
!
interface Ethernet0/1
nameif inside
security-level 100
no ip address
!
interface Ethernet0/1.1
vlan 1
nameif inside1
security-level 100
ip address 10.20.10.1 255.255.255.0
!
interface Ethernet0/1.3
vlan 3
nameif inside3
security-level 100
ip address 10.40.20.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.20.10.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
object-group network inside-subnet
network-object 10.20.10.0 255.255.255.0
network-object 10.40.10.0 255.255.255.0
object-group network FTPServer
network-object 172.20.10.5 255.255.255.255
object-group network FTPServer-External
network-object 10.2.2.2 255.255.255.255
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu dmz 1500
mtu inside1 1500
mtu inside3 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
global (outside) 1 10.2.2.2
nat (dmz) 1 172.20.10.0 255.255.255.0
nat (inside1) 1 10.20.10.0 255.255.255.0
nat (inside3) 1 10.40.20.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
Solved! Go to Solution.
10-23-2013 09:18 AM
Hi,
The Static PAT (Port Forward) configuration seems valid
Though you dont have any IP address in the visible configuration for the "outside" interface.
interface Ethernet0/0
nameif outside
security-level 0
no ip address
You should add
interface Ethernet0/0
ip address
- Jouni
10-23-2013 09:30 AM
Hi,
I cant see any other reason for not accepting the command atleast if you did it through ASDM
The "static" command itself refers to the "outside" interface with the parameter "interface" and if the interface has no IP address configured I would imagine it wont accept the NAT configuration as there is no IP address to use for the NAT configuration you are trying to insert.
static (dmz, outside) tcp interface 21 172.20.10.5 21 netmask 255.255.255.255 tcp 0 0 udp 0
- Jouni
10-25-2013 04:28 PM
Hello,
The problem you had before was that you were using incorrectly the native VLAN interface.
You changed the setup so we will start from here now:
First of all remove this:
no access-group inside_access_in
Add the following
policy-map global_policy
class class-default
inspect FTP
Just in case you do not have it
static (dmz,inside)172.20.10.5 172.20.10.5
static (inside,dmz) 10.20.10.0 10.20.10.0 netmask 255.255.255.0
Let me know how it goes.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
10-28-2013 06:58 PM
This is the correct configuration:
How do I get 10.20.10.0 network able to access just the FTP Server via its translated IP?
Step 1:
Lower the security level of the interface where the FTP server resides:
enable
config t
Interface Ethernet0/2
security-level 90
Why would you do this? Because you are playing with same-security-traffic feature which if you really don't know for what it is used just don't use it as it is not necessary on your setup.
enable
config t
static (dmz,inside) tcp 10.2.2.1 21 172.20.10.5 211 netmask 255.255.255.255
Then add the next line:
enable
config t
global (dmz) 1 interface
You might ask yourself, why am I adding this last line? Because you have the next configuration line that obligates it to PAT when going to the DMZ.
nat (inside) 1 10.20.10.0 255.255.255.0
Now, my question to you? When you access your FTP server from the outside interface, do you do it over domain or IP? See, it is completely another thing to be on the external world and some other device doing a NAT for you and then another thing to try to connect from the internal network to the DMZ FTP server and mapping it to what would see to be the correct IP that would be 10.2.2.1.
Plus your code should be updated, really old version, maybe a 8.2.5 code would be OK.
10-31-2013 10:52 AM
Please update the ticket as resolved or answered so we can close out followup.
10-31-2013 11:23 AM
Yeah, with correct answer is the right way, if you believe that the solution was not given you just rate it but the idea is if you post question we continue the conversation until we resolve.
Question, did you get the information that you needed or do you still have doubts?
11-06-2013 02:30 PM
11-06-2013 02:39 PM
10-23-2013 09:18 AM
Hi,
The Static PAT (Port Forward) configuration seems valid
Though you dont have any IP address in the visible configuration for the "outside" interface.
interface Ethernet0/0
nameif outside
security-level 0
no ip address
You should add
interface Ethernet0/0
ip address
- Jouni
10-23-2013 09:21 AM
Also,
Seems that one of your interfaces is configured as Trunk
interface Ethernet0/1
nameif inside
security-level 100
no ip address
The actual physical interfaces configurations seems unneeded if you are not planning to add IP address to it. If you are not going to add one you could configure
interface Ethernet0/1
no nameif
no security-level
Just to avoid any future missunderstanding with the interface in question.
- Jouni
10-23-2013 09:25 AM
thanks for that quick response. the interface not having an IP was an oversight for not having the correct IP's from the ISP yet.
I'll add the temp IP and test again. also, i will remove those configs from eth0/1.
i'll let you know if all is good.
10-23-2013 09:30 AM
Hi,
I cant see any other reason for not accepting the command atleast if you did it through ASDM
The "static" command itself refers to the "outside" interface with the parameter "interface" and if the interface has no IP address configured I would imagine it wont accept the NAT configuration as there is no IP address to use for the NAT configuration you are trying to insert.
static (dmz, outside) tcp interface 21 172.20.10.5 21 netmask 255.255.255.255 tcp 0 0 udp 0
- Jouni
10-23-2013 10:13 AM
ok so i removed the security-level and nameif on eth0/1 and now i cannot ping the 10.20.10.1 from a server with IP 10.20.10.5 connected to the same switch.
from the asa i can ping 10.40.20.2 (int vlan 3 IP on switch) but i can't ping 10.20.10.254 (int vlan 1 on switch)
I have the switch connected to eth 0/1 on port 48 on switch. here's my truncated version of my switch.
ip routing
ip dhcp excluded-address 10.40.20.1 10.40.20.10
!
ip dhcp pool guestwifi
network 10.40.20.0 255.255.255.0
dns-server 8.8.8.8 4.2.2.2
default-router 10.40.20.1
!
interface GigabitEthernet0/40
!
interface GigabitEthernet0/41
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3
switchport mode trunk
!
interface GigabitEthernet0/42
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3
switchport mode trunk
!
interface GigabitEthernet0/43
!
interface GigabitEthernet0/44
!
interface GigabitEthernet0/45
!
interface GigabitEthernet0/46
!
interface GigabitEthernet0/47
!
interface GigabitEthernet0/48
uplink to Firewall
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3
switchport mode trunk
!
interface GigabitEthernet0/49
!
interface GigabitEthernet0/50
!
interface GigabitEthernet0/51
!
interface GigabitEthernet0/52
!
interface Vlan1
ip address 10.20.10.254 255.255.255.0
!
interface Vlan2
description Voice Vlan
no ip address
!
interface Vlan3
description Guest Vlan
ip address 10.40.20.2 255.255.255.0
10-23-2013 10:19 AM
Hi,
If removing those commads created some problems you could always revert back to the original configuration.
Though I didnt see that there was any IP address configured for the physical interface so I am not sure how it would affect the setup.
If it did it must be related to you using the Vlan1 in the configurations.
I am wondering would you need to change the Native Vlan to something else than the default vlan for the suggested configurations to not cause any problems.
But probably better to revert to the original configuration though it still leaves the ASA configuration looking pretty strange.
- Jouni
10-25-2013 12:48 PM
So after removing it still didn't work. what i did was configure the eth0/1 interface with the vlan 1 IP and just kept the eth0/1.3 vlan 3 sub interface. communication is ok now. My next issue\question is, I am trying to get the vlan 1 network 10.20.10.0/24 to see the FTP server on the DMZ (172.20.10.5). here's the asa config so far. What am I missing in access list to be able to hit\ping the FTP Server from vlan 1 server. The switch is configured for DMZ vlan 4. I have the eth0/2 int and FTP server connected to port 43/44 trunked with vlan1, 4.
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.2.2.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.20.10.1 255.255.255.0
!
interface Ethernet0/1.3
vlan 3
nameif inside3
security-level 100
ip address 10.40.20.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.20.10.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.30.10.1 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
object-group network inside-subnet
network-object 10.20.10.0 255.255.255.0
network-object 10.40.10.0 255.255.255.0
object-group network FTPServer
network-object 172.20.10.5 255.255.255.255
access-list dmz_access_in extended permit ip 10.20.10.0 255.255.255.0 host 172.2
0.10.5
access-list dmz_access_in extended permit icmp 10.20.10.0 255.255.255.0 host 172
.20.10.5
access-list outside_access_in extended permit tcp any object-group FTPServer eq
ftp
access-list inside_access_in extended permit icmp host 172.20.10.5 10.20.10.0 25
5.255.255.0 timestamp-reply
access-list inside_access_in extended permit tcp host 172.20.10.5 10.20.10.0 255
.255.255.0 inactive
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside3 1500
mtu dmz 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
global (outside) 1 10.2.2.2
nat (inside) 1 10.20.10.0 255.255.255.0
nat (inside3) 1 10.40.20.0 255.255.255.0
nat (dmz) 1 172.20.10.0 255.255.255.0
static (dmz,outside) tcp interface ftp 172.20.10.5 ftp netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
: end
hofasa#
10-25-2013 04:28 PM
Hello,
The problem you had before was that you were using incorrectly the native VLAN interface.
You changed the setup so we will start from here now:
First of all remove this:
no access-group inside_access_in
Add the following
policy-map global_policy
class class-default
inspect FTP
Just in case you do not have it
static (dmz,inside)172.20.10.5 172.20.10.5
static (inside,dmz) 10.20.10.0 10.20.10.0 netmask 255.255.255.0
Let me know how it goes.
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
10-28-2013 09:56 AM
so I removed and added the statements you stated. From the switch i can ping the DMZ interface on asa 172.20.10.1 but not the FTP server 172.20.10.5. From the ASA i can ping the vlan 4 interface on the switch 172.20.10.2 but cannot ping the FTP server 172.20.10.5.
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.2.2.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.20.10.1 255.255.255.0
!
interface Ethernet0/1.3
vlan 3
nameif inside3
security-level 50
ip address 10.40.20.1 255.255.255.0
<--- More --->
!
interface Ethernet0/2
nameif dmz
security-level 100
ip address 172.20.10.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.30.10.1 255.255.255.0
management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
object-group network inside-subnet
network-object 10.20.10.0 255.255.255.0
network-object 10.40.10.0 255.255.255.0
object-group network FTPServer
<--- More --->
network-object 172.20.10.5 255.255.255.255
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp timestamp-reply
access-list dmz_access_in extended permit ip 10.20.10.0 255.255.255.0 172.20.10.0 255.255.255.0
access-list dmz_access_in extended permit icmp 10.20.10.0 255.255.255.0 172.20.10.0 255.255.255.0
access-list outside_access_in extended permit tcp any object-group FTPServer eq ftp
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside3 1500
mtu dmz 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
global (outside) 1 10.2.2.2
nat (inside) 1 10.20.10.0 255.255.255.0
nat (inside3) 1 10.40.20.0 255.255.255.0
nat (dmz) 1 172.20.10.0 255.255.255.0
static (dmz,outside) tcp interface ftp 172.20.10.5 ftp netmask 255.255.255.255
static (dmz,inside) 172.20.10.5 172.20.10.5 netmask 255.255.255.255
<--- More --->
static (inside,dmz) 10.20.10.0 10.20.10.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.20.10.0 255.255.255.0 management
http 10.20.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.20.10.0 255.255.255.0 inside
telnet 192.168.1.1 255.255.255.255 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
<--- More --->
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
<--- More --->
inspect netbios
inspect tftp
class class-default
inspect ftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6bcfb01a635982dcd4020570173ae95f
: end
Switch config
interface GigabitEthernet0/43
FTP Server
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet0/44
Uplink to ASA DMZ Eth0/2
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet0/45
!
interface GigabitEthernet0/46
!
interface GigabitEthernet0/47
interface GigabitEthernet0/48
UPLink to ASA Eth0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3,4
switchport mode trunk
interface Vlan2
description Voice Vlan
no ip address
no ip route-cache
!
interface Vlan3
description Guest Vlan
ip address 10.40.20.2 255.255.255.0
no ip route-cache
!
interface Vlan4
description DMZ Vlan
ip address 172.20.10.2 255.255.255.0
no ip route-cache
10-28-2013 10:13 AM
Ok I'm narrowing this down slowly. I rebooted the switch and i'm able to ping 172.20.10.5 (FTPServer) from switch (when i source the ping from vlan 4) and the ASA. How do i get 10.20.10.0 network able to access dmz (just FTPServer)?
Could it be because Eth0/2 on asa is native vlan and not vlan 4? i don't see an option to change it.
10-28-2013 06:58 PM
This is the correct configuration:
How do I get 10.20.10.0 network able to access just the FTP Server via its translated IP?
Step 1:
Lower the security level of the interface where the FTP server resides:
enable
config t
Interface Ethernet0/2
security-level 90
Why would you do this? Because you are playing with same-security-traffic feature which if you really don't know for what it is used just don't use it as it is not necessary on your setup.
enable
config t
static (dmz,inside) tcp 10.2.2.1 21 172.20.10.5 211 netmask 255.255.255.255
Then add the next line:
enable
config t
global (dmz) 1 interface
You might ask yourself, why am I adding this last line? Because you have the next configuration line that obligates it to PAT when going to the DMZ.
nat (inside) 1 10.20.10.0 255.255.255.0
Now, my question to you? When you access your FTP server from the outside interface, do you do it over domain or IP? See, it is completely another thing to be on the external world and some other device doing a NAT for you and then another thing to try to connect from the internal network to the DMZ FTP server and mapping it to what would see to be the correct IP that would be 10.2.2.1.
Plus your code should be updated, really old version, maybe a 8.2.5 code would be OK.
10-31-2013 10:52 AM
Please update the ticket as resolved or answered so we can close out followup.
10-31-2013 11:17 AM
I don't know how to mark it as resolved without hitting correct answer?
10-31-2013 11:23 AM
Yeah, with correct answer is the right way, if you believe that the solution was not given you just rate it but the idea is if you post question we continue the conversation until we resolve.
Question, did you get the information that you needed or do you still have doubts?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide