Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMZ FTP server

Hello,

I have this configuration:

Host 172.16.1.x/24 > ASA 5510 > Router 2811 > Router 871 > ASA 5505 > Host 172.16.2.x/ 24.

I have add an FTP serve on port 2 of ASA 5510 with the ip address 172.16.0.2/252.

I need to know how tho configure the access on the FTP server.

I have configured ASA5510 and ASA5502 like that but the host 172.16.2.x/24 cannot access to the FTP server.

ASA5510:

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit icmp host 10.52.72.135 172.16.1.0 255.255.255.0

access-list outside_access_in extended permit ip host 172.16.2.2 172.16.1.0 255.255.255.0

access-list outside_access_in extended permit ip host 172.16.0.6 172.16.1.0 255.255.255.0

access-list outside_access_in extended permit icmp host 172.16.2.0 172.16.1.0 255.255.255.0

access-list outside_access_in extended permit tcp any host 172.16.0.2 eq ftp

access-list outside_access_in extended permit tcp any host 172.16.0.2 eq ftp-data

access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 10.52.72.128 255.255.255.192

access-list inside_nat0_outbound

extended permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 172.16.0.4 255.255.255.252

access-list inside_nat0_outbound extended permit ip 172.16.0.0 255.255.255.252 172.16.2.0 255.255.255.0

nat-control

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.16.1.0 255.255.255.0

static (DMZ,outside) 172.16.2.2 172.16.0.2 netmask 255.255.255.255

access-group outside_access_in in interface outside

ASA 5505:

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit icmp host 172.16.0.5 172.16.2.0 255.255.255.0

access-list outside_access_in extended permit icmp host 172.16.1.2 172.16.2.0 255.255.255.0

access-list outside_access_in extended permit ip host 172.16.1.2 172.16.2.0 255.255.255.0

access-list outside_access_in extended permit ip host 10.52.69.120 172.16.2.0 255.255.255.0

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit ip host 172.16.0.2 172.16.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 172.16.0.4 255.255.255.252

access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 10.52.69.0 255.255.255.128

access-list inside_nat0_outbound extended permit ip 172.16.2.0 255.255.255.0 172.16.0.0 255.255.255.252

nat-control

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.16.2.0 255.255.255.0

access-group outside_access_in in interface outside

Regards

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: DMZ FTP server

Hi,

Please try to access the FTP server 172.16.0.2 from 172.16.2.0/24 network after the static NAT in ASA5510 'static (DMZ,outside) 172.16.2.2 172.16.0.2 netmask 55.255.255.255'is removed.

Bcoz this static NAT is coming in the flow unnecessarily

Regards

6 REPLIES
New Member

Re: DMZ FTP server

Hi Malliot

Have configured any tunnel between both the site? if yes please post the conf. of that as well

Regards

Jithesh

New Member

Re: DMZ FTP server

Hi jetheshkjoy

I have a tunnel between my router 2811 and 871.

I post my conf in few minute.

But the ASA5510 receive this message when I try to connect on FTP server.

%ASA-3-305005: No translation group found for tcp src outside:172.16.2.2/1106 ds

t DMZ:172.16.0.2/21

%ASA-3-305005: No translation group found for tcp src outside:172.16.2.2/1106 ds

t DMZ:172.16.0.2/21

Regards

New Member

Re: DMZ FTP server

Hi,

Please try to access the FTP server 172.16.0.2 from 172.16.2.0/24 network after the static NAT in ASA5510 'static (DMZ,outside) 172.16.2.2 172.16.0.2 netmask 55.255.255.255'is removed.

Bcoz this static NAT is coming in the flow unnecessarily

Regards

New Member

Re: DMZ FTP server

Hi

Is the issue resolved??

Regards

Jithesh

New Member

Re: DMZ FTP server

Yes, thank you Jithesh

New Member

Re: DMZ FTP server

It is my pleasure.

231
Views
0
Helpful
6
Replies