Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA DMZ configuration issue

Good afternoon experts - I am in need of a quick resolution to what I am sure is a fairly standard configuration issue.

Description:  we need to configure a DMZ on an ASA for an FTP server with a public IP address.  Outside partners need to send files to this FTP server.  We then need to have these files transferred internally to a file server.

Problem:  outside partners are able to send the files to the FTP server in the DMZ, but we cannot retrieve them from the internal file server through the ASA.

Relevant configuration:

interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 205.x.y.z 255.255.255.248
!
interface GigabitEthernet0/1
nameif INSIDE (IP address of internal file server is 192.168.x.x)
security-level 100
ip address 10.x.x.x 255.255.255.0
!
interface GigabitEthernet0/2
description DMZ IP (IP address of FTP server 198.d.e.25)
nameif DMZ
security-level 50
ip address 198.d.e.30 255.255.255.248
!

NAT contains this:

nat (INSIDE) 0 access-list NO-NAT

access-list NO-NAT line 153 extended permit ip host 192.168.x.x host 198.d.e.25
nat (DMZ) 0 access-list NO-NAT-DMZ
access-list NO-NAT-DMZ line 1 remark Allow traffic from SFTP server to Corp-Server
access-list NO-NAT-DMZ line 2 extended permit ip host 198.d.e.25 host 192.168.x.x

There are no access-group rules applied to INSIDE or DMZ interfaces.

What is missing, or misconfigured?  Your input is greatly appreciated.

Thanks, Patrick

5 REPLIES

Re: ASA DMZ configuration issue

Many many ways to do it.

But for example if you need from the internal network to reach the DMZ, can try this:

nat (inside) 1 10.x.x.x. 255.255.255.0

global (DMZ) 1 interface

Federico.

New Member

Re: ASA DMZ configuration issue

Federico - thanks for the reply, but I have one question - why would I want the "nat (inside) 1 10.x.x.x. " command to reference the 10.x.x.x - the IP address of the interface, and not the internal file server?

Thanks, Patrick

Re: ASA DMZ configuration issue

If you need to access the FTP server (on the DMZ) from the inside network, that's what you need (we can restrict it to be from a single server).

If on the other hand, you need the FTP server to initiate a connection to the inside server, then you will need a static NAT and an ACL.

Federico.

New Member

Re: ASA DMZ configuration issue

In addition to the static/global commands and access-list.

You need a Security Plus License to do this. The Base license only allow two regular zones (inside, outside) and och restricted zone(dmz) which ONLY can communicate to a zone with lower security level(outside). Run show ver command and check the license.

// Roger

New Member

Re: ASA DMZ configuration issue

Federico, Roger - thanks for the replies.

Turns out there was an issue with the FTP authentication, not a DMZ config issue.

ASA DMZ config worked as posted.

Thanks again.  Patrick

499
Views
0
Helpful
5
Replies