I've got an ASA with multiple interfaces on it. I've got an inside,outside, dmz1, dmz2,and dmz3. I have a static NAT for a server in the DMZ to a global inet address on the outside via:
static (dmz1,outside) 210.x.x.10 192.168.1.1
I have a server in dmz2 and also a server in dmz3, both are trying to FTP to the server in dmz1 using the "internet" address 210.x.x.x, NOT the actual dmz address. Logs show
"Deny TCP reverse path check from 210.x.x.1 (outside ip of firewall) to 210.x.x.10 on interface outside". The default route is via the outside inteface. the error seems to point to a routing issue, but I'm not sure. should these inside hosts in the other dmz's be able to talk to the ftp by using the public ip, rather than the actual ip?