Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2438
Views
0
Helpful
40
Replies

ASA 5510 DMZ Nat question

Go to solution
gtorresjr77
Level 1
Level 1

‎10-23-2013 09:13 AM - edited ‎03-11-2019 07:55 PM

Hi All,

first time posting.

so my goal is to have an FTP Server on the DMZ and be able to access it using the outside interface (which is currently just configured as 10.2.2.2)  I tried adding the NAT rule using asdm and CLI but it won't take.   What am I missing that i can't NAT

static (dmz, outside) tcp interface 21 172.20.10.5 21 netmask 255.255.255.255 tcp 0 0 udp 0

here is the current config

Thanks

ASA Version 8.2(1)

!

!

interface Ethernet0/0

nameif outside

security-level 0

no ip address

!

interface Ethernet0/1

nameif inside

security-level 100

no ip address

!

interface Ethernet0/1.1

vlan 1

nameif inside1

security-level 100

ip address 10.20.10.1 255.255.255.0

!

interface Ethernet0/1.3

vlan 3

nameif inside3

security-level 100

ip address 10.40.20.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 172.20.10.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

object-group network inside-subnet

network-object 10.20.10.0 255.255.255.0

network-object 10.40.10.0 255.255.255.0

object-group network FTPServer

network-object 172.20.10.5 255.255.255.255

object-group network FTPServer-External

network-object 10.2.2.2 255.255.255.255

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

mtu dmz 1500

mtu inside1 1500

mtu inside3 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

global (outside) 1 10.2.2.2

nat (dmz) 1 172.20.10.0 255.255.255.0

nat (inside1) 1 10.20.10.0 255.255.255.0

nat (inside3) 1 10.40.20.0 255.255.255.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

Labels:
0 Helpful
40 Replies 40

Go to solution
gtorresjr77
Level 1
Level 1
In response to jumora

‎11-06-2013 01:14 PM

nevermind, i see what you meant.  that was a typo, i did do port 21 not 23, sorry for confusion

0 Helpful

Go to solution
gtorresjr77
Level 1
Level 1
In response to gtorresjr77

‎11-06-2013 01:23 PM

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-6-305012: Teardown dynamic TCP translation from inside:10.20.10.32/51008 to

outside:173.220.176.250/31311 duration 0:02:00

%ASA-6-305012: Teardown dynamic TCP translation from inside:10.20.10.32/51012 to

outside:173.220.176.250/12202 duration 0:02:00

%ASA-6-305012: Teardown dynamic TCP translation from inside:10.20.10.32/51013 to

outside:173.220.176.250/63796 duration 0:02:00

%ASA-6-305012: Teardown dynamic TCP translation from inside:10.20.10.32/51014 to

outside:173.220.176.250/13247 duration 0:02:00

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-6-305011: Built dynamic TCP translation from inside:10.20.10.32/51037 to ou

tside:173.220.176.250/39491

%ASA-6-302013: Built outbound TCP connection 13229 for outside:74.125.226.242/44

3 (74.125.226.242/443) to inside:10.20.10.32/51037 (173.220.176.250/39491)

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-6-305012: Teardown dynamic TCP translation from inside:10.20.10.32/51015 to

outside:173.220.176.250/21504 duration 0:02:00

%ASA-6-305012: Teardown dynamic TCP translation from inside:10.20.10.32/51016 to

outside:173.220.176.250/4436 duration 0:02:00

%ASA-6-305012: Teardown dynamic TCP translation from inside:10.20.10.32/51017 to

outside:173.220.176.250/24245 duration 0:02:00

%ASA-6-305012: Teardown dynamic TCP translation from inside:10.20.10.32/51018 to

outside:173.220.176.250/44589 duration 0:02:00

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-6-305011: Built dynamic UDP translation from inside:10.20.10.32/427 to outs

ide:173.220.176.250/201

%ASA-6-302015: Built outbound UDP connection 13230 for outside:10.0.10.204/427 (

10.0.10.204/427) to inside:10.20.10.32/427 (173.220.176.250/201)

%ASA-6-302015: Built outbound UDP connection 13231 for outside:192.168.130.201/4

27 (192.168.130.201/427) to inside:10.20.10.32/427 (173.220.176.250/201)

%ASA-6-302015: Built outbound UDP connection 13232 for outside:10.0.10.15/427 (1

0.0.10.15/427) to inside:10.20.10.32/427 (173.220.176.250/201)

%ASA-6-302015: Built outbound UDP connection 13233 for outside:10.0.10.202/427 (

10.0.10.202/427) to inside:10.20.10.32/427 (173.220.176.250/201)

%ASA-6-302015: Built outbound UDP connection 13234 for outside:192.168.130.34/42

7 (192.168.130.34/427) to inside:10.20.10.32/427 (173.220.176.250/201)

%ASA-6-302015: Built outbound UDP connection 13235 for outside:192.168.130.10/42

7 (192.168.130.10/427) to inside:10.20.10.32/427 (173.220.176.250/201)

%ASA-6-302015: Built outbound UDP connection 13236 for outside:10.0.10.205/427 (

10.0.10.205/427) to inside:10.20.10.32/427 (173.220.176.250/201)

%ASA-6-302015: Built outbound UDP connection 13237 for outside:10.0.10.200/427 (

10.0.10.200/427) to inside:10.20.10.32/427 (173.220.176.250/201)

%ASA-6-302015: Built outbound UDP connection 13238 for outside:192.168.130.80/42

7 (192.168.130.80/427) to inside:10.20.10.32/427 (173.220.176.250/201)

%ASA-6-302015: Built outbound UDP connection 13239 for outside:192.0.0.212/427 (

192.0.0.212/427) to inside:10.20.10.32/427 (173.220.176.250/201)

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-6-305011: Built dynamic UDP translation from inside:10.20.10.32/61512 to ou

tside:173.220.176.250/2417

%ASA-6-302015: Built outbound UDP connection 13244 for outside:202.12.28.131/53

(202.12.28.131/53) to inside:10.20.10.32/61512 (173.220.176.250/2417)

%ASA-6-302013: Built outbound TCP connection 13245 for dmz:172.20.10.5/445 (172.

20.10.5/445) to inside:10.20.10.32/51039 (10.20.10.32/51039)

%ASA-6-110003: Routing failed to locate next hop for TCP from inside:10.20.10.32

/51039 to dmz:172.20.10.5/445

%ASA-6-302016: Teardown UDP connection 13244 for outside:202.12.28.131/53 to ins

ide:10.20.10.32/61512 duration 0:00:00 bytes 199

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-6-302013: Built outbound TCP connection 13246 for dmz:172.20.10.5/445 (172.

20.10.5/445) to inside:10.20.10.32/51042 (10.20.10.32/51042)

%ASA-6-302013: Built outbound TCP connection 13247 for dmz:172.20.10.5/445 (172.

20.10.5/445) to inside:10.20.10.32/51043 (10.20.10.32/51043)

%ASA-6-302013: Built outbound TCP connection 13248 for dmz:172.20.10.5/445 (172.

20.10.5/445) to inside:10.20.10.32/51044 (10.20.10.32/51044)

%ASA-6-302013: Built outbound TCP connection 13249 for dmz:172.20.10.5/139 (172.

20.10.5/139) to inside:10.20.10.32/51045 (10.20.10.32/51045)

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-7-710005: UDP request discarded from 10.20.10.32/137 to inside:10.20.10.255

/137

%ASA-6-305012: Teardown dynamic TCP translation from inside:10.20.10.32/50965 to

outside:173.220.176.250/2659 duration 0:05:00

%ASA-6-305012: Teardown dynamic TCP translation from inside:10.20.10.32/50974 to

outside:173.220.176.250/42541 duration 0:05:00

%ASA-6-305012: Teardown dynamic TCP translation from inside:10.20.10.32/50978 to

outside:173.220.176.250/31609 duration 0:05:00

%ASA-6-305012: Teardown dynamic TCP translation from inside:10.20.10.32/50979 to

outside:173.220.176.250/60361 duration 0:05:00

%ASA-6-305012: Teardown dynamic TCP translation from inside:10.20.10.32/50980 to

outside:173.220.176.250/61233 duration 0:05:00

%ASA-6-305012: Teardown dynamic TCP translation from inside:10.20.10.32/50981 to

outside:173.220.176.250/45256 duration 0:05:00

<--- More --->

0 Helpful

Go to solution
jumora
Level 7
Level 7
In response to gtorresjr77

‎11-06-2013 01:43 PM

None of the logs show FTP port TCP/21 so I am not sure if you tried to run a FTP connection

Value our effort and rate the assistance!
0 Helpful

Go to solution
gtorresjr77
Level 1
Level 1
In response to jumora

‎11-06-2013 01:50 PM

i did, I tried an ftp and browse.

did you notice anything wrong with config? are forums members allowed to do a join.me?  This is frustrating.

0 Helpful

Go to solution
gtorresjr77
Level 1
Level 1
In response to gtorresjr77

‎11-06-2013 01:59 PM

Can't update the code because the client won't pay for addtional memory to support upgrade.

0 Helpful

Go to solution
jumora
Level 7
Level 7
In response to gtorresjr77

‎11-06-2013 02:00 PM

If you send me the join me I can get in I have no problem.

Value our effort and rate the assistance!
0 Helpful

Go to solution
gtorresjr77
Level 1
Level 1
In response to jumora

‎11-06-2013 02:08 PM

do you have email?  or should i just post it here?

0 Helpful

Go to solution
gtorresjr77
Level 1
Level 1
In response to gtorresjr77

‎11-06-2013 02:13 PM

can't go past 5:30 at client, if you are available around 7pm, i can get you connected remotely when i get home?  or we can pick it up tomorrow?

0 Helpful

Go to solution
jumora
Level 7
Level 7
In response to gtorresjr77

‎11-06-2013 02:30 PM

jumora@cisco.com

Value our effort and rate the assistance!
0 Helpful

Go to solution
jumora
Level 7
Level 7
In response to jumora

‎11-06-2013 02:39 PM

or  juanmh84@hotmail.com

Value our effort and rate the assistance!
0 Helpful

Go to solution
gtorresjr77
Level 1
Level 1
In response to jumora

‎11-12-2013 02:18 PM

Thank you for the assistance Juan.   You resolved the issue much quicker than i thought.   Your help was greatly appreciated.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card