Re: ASA: DMZ attached host access from internal/external network

iholdings · ‎03-21-2007

Greetings,

Our DMZ port on our ASA is configured more as an external/Internet facing interface. It is configured with a non-routable IP subnet 172.20.2.0/29)that's configured to route specific traffic to a set of VPN routers (non company owned). Using a couple of small switches, this same port is attached to an ISP - currently not used to route Internet traffic to/from the corporate network.

I need to be able to place an FTP host into this DMZ setup- with one NIC attached to the DMZ subnet and one NIC attached to the ISP subnet. This will allow me to control access for FTP 'PUTS' from the internal network as well as allow external FTP 'GETS' from the Internet.

Is this routing possible given this setup?

Thanks.

acomiskey · ‎03-21-2007

I think I understand what you want, but a few questions...ignore if I misunderstood what you want to do.

1. Why don't you want to go from inside through the pix to the dmz?

2. Why do you want to patch around the pix?

iholdings · ‎03-21-2007

Yes - a very good question.

We (errantly) set things up this way to accommodate a customer - when at the time, we didn't know better and this seemed to be a working solution. We know better now and only need to keep this setup as is for a while longer. Then we will set that interface up as a true DMZ.

In the meantime, I need to be able to install the FTP host as indicated - to better utilize the unused ISP and remove that traffic from the primary ISP connection.

Sounds strange I know, but I can't think of any other way around this setup - nor if it's even possible to do.

Thanks again for your prompt reply.