Good afternoon experts - I am in need of a quick resolution to what I am sure is a fairly standard configuration issue.
Description: we need to configure a DMZ on an ASA for an FTP server with a public IP address. Outside partners need to send files to this FTP server. We then need to have these files transferred internally to a file server.
Problem: outside partners are able to send the files to the FTP server in the DMZ, but we cannot retrieve them from the internal file server through the ASA.
interface GigabitEthernet0/0 nameif OUTSIDE security-level 0 ip address 205.x.y.z 255.255.255.248 ! interface GigabitEthernet0/1 nameif INSIDE (IP address of internal file server is 192.168.x.x) security-level 100 ip address 10.x.x.x 255.255.255.0 ! interface GigabitEthernet0/2 description DMZ IP (IP address of FTP server 198.d.e.25) nameif DMZ security-level 50 ip address 198.d.e.30 255.255.255.248 !
NAT contains this:
nat (INSIDE) 0 access-list NO-NAT
access-list NO-NAT line 153 extended permit ip host 192.168.x.x host 198.d.e.25 nat (DMZ) 0 access-list NO-NAT-DMZ access-list NO-NAT-DMZ line 1 remark Allow traffic from SFTP server to Corp-Server access-list NO-NAT-DMZ line 2 extended permit ip host 198.d.e.25 host 192.168.x.x
There are no access-group rules applied to INSIDE or DMZ interfaces.
What is missing, or misconfigured? Your input is greatly appreciated.
Federico - thanks for the reply, but I have one question - why would I want the "nat (inside) 1 10.x.x.x. " command to reference the 10.x.x.x - the IP address of the interface, and not the internal file server?
In addition to the static/global commands and access-list.
You need a Security Plus License to do this. The Base license only allow two regular zones (inside, outside) and och restricted zone(dmz) which ONLY can communicate to a zone with lower security level(outside). Run show ver command and check the license.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...