Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ftp in dmz

Hi All,

I am fairly certain this is something that happens all the time and a very easy thing to do for most. I have never set up a dmz and am not the best at pix. I have an asa 5510 and I am trying to setup a ftp server in the dmz that i can reach from inside and outside. I have done the following:

access-list outside_access_in extended permit tcp any host <public ip> eq ftp

access-list DMZ1_access_in extended permit tcp host 192.168.60.15 192.168.9.0 255.255.255.0 eq ftp

global (outside) 1 interface

nat (outside) 0 access-list outside_nat0_inbound outside

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (DMZ1,outside) <public ip> 192.168.60.10 netmask 255.255.255.255

static (DMZ1,inside) 192.168.60.10 192.168.60.10 netmask 255.255.255.255

static (DMZ1,inside) 192.168.60.15 192.168.60.15 netmask 255.255.255.255

static (DMZ1,outside) <public ip> 192.168.60.15 netmask 255.255.255.255

static (inside,DMZ1) 192.168.9.0 192.168.9.0 netmask 255.255.255.0

access-group outside_access_in in interface outside

access-group DMZ1_access_in in interface DMZ1

The ftp host private ip in the dmz is 192.168.60.15. Private hosts inside reside on 192.168.9.0. I have also allowed port 3389 to this server for testing, and this works fine.

When I view the live log, I do not see any errors, just the following when i attempt a connection from the inside:

6|Jan 05 2007 09:53:39|302014: Teardown TCP connection 67046549 for DMZ1:192.168.60.15/21 to inside:192.168.9.75/1420 duration 0:00:30 bytes 0 SYN Timeout

6|Jan 05 2007 09:53:30|302013: Built outbound TCP connection 67046634 for DMZ1:192.168.60.15/21 (192.168.60.15/21) to inside:192.168.9.75/1421 (192.168.9.75/1421)

6|Jan 05 2007 09:53:08|302013: Built outbound TCP connection 67046549 for DMZ1:192.168.60.15/21 (192.168.60.15/21) to inside:192.168.9.75/1420 (192.168.9.75/1420)

6|Jan 05 2007 09:53:08|302014: Teardown TCP connection 67046336 for DMZ1:192.168.60.15/21 to inside:192.168.9.75/1419 duration 0:00:30 bytes 0 SYN Timeout

Can someone please help?

TIA,

R

14 REPLIES

Re: ftp in dmz

Do you have an ACL on your inside interface? Please post it. The DMZ1_access_in ACL is applied to the DMZ interface inbound to the ASA. That means you're allowing 192.168.60.15 to FTP to the internal network! I'm betting the inside ACL is blocking FTP to the DMZ.

New Member

Re: ftp in dmz

thank you for your reply. the only other acl i have applied is :

access-group outside_access_in in interface outside

Re: ftp in dmz

Are you running FTP in passive mode? Try entering:

'fixup protocol ftp'

Silver

Re: ftp in dmz

First off, these two commands are unnecessary..

static (DMZ1,inside) 192.168.60.10 192.168.60.10 netmask 255.255.255.255

static (DMZ1,inside) 192.168.60.15 192.168.60.15 netmask 255.255.255.255

Second, if you have an access list on your inside interface, you need to allow traffic from the inside to the FTP server. If you do not do any egress filtering, then you should be able to hit the DMZ FTP server. Oh one other thing.. make sure you have the appropriate nat/global or static to allow the internal traffic to access the DMZ network.

Pls rate if this helps.

Cheers.

New Member

Re: ftp in dmz

my understanding is that on the asa, ver 7.0 you no longer used the fixup command. that it was replaced with the following:

policy-map global_policy

class inspection_default

inspect ftp

is this wrong?

jwalker, can you please give me an example of the correct global/nat or static as i do not have egress filtering. i thought i understood this, but apparently i do not!

TIA,

r

Re: ftp in dmz

The fixup command creates the policy for you. Your static for inside users going to DMZ is correct and you are not doing any egress filtering (ie an ACL applied to the inside interface).

New Member

Re: ftp in dmz

thank you for your reply but the fixup protcol made no difference for me.

Re: ftp in dmz

Can you post a complete (but sanitized) config?

Silver

Re: ftp in dmz

not sure what your internal ranges are so to make a static but for a nat/global you would need..

global (dmz) 1 interface

here is a static example though that translates an inside range to itself on the dmz

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

New Member

Re: ftp in dmz

here ya go!

Re: ftp in dmz

Hi,

Try the command: ftp mode active

You should also take this one baby step at a time, allowing ip any any. Then try ping, if this works, then is a protocol/server issue (the command above might solve it).

Please rate if this helped.

Regards,

Daniel

New Member

Re: ftp in dmz

I tried returning to ftp active mode, with no success. I allowed ping through and i can indeed ping the server. I am unsure of what else this could be. i know the service is running as I can ftp to the localhost if i am on the localhost. any other ideas?

thanks

New Member

Re: ftp in dmz

Ok guys, I figured it out. I feel like such an idiot!! I had the ftp server on an XP machine, and guess what was on...yes, the xp firewall.

thanks for all the help.

Re: ftp in dmz

:)))))

No worries, it's good now it works.

Cheers,

Daniel

310
Views
5
Helpful
14
Replies
CreatePlease login to create content