01-05-2007 05:59 AM - edited 03-11-2019 02:15 AM
Hi All,
I am fairly certain this is something that happens all the time and a very easy thing to do for most. I have never set up a dmz and am not the best at pix. I have an asa 5510 and I am trying to setup a ftp server in the dmz that i can reach from inside and outside. I have done the following:
access-list outside_access_in extended permit tcp any host <public ip> eq ftp
access-list DMZ1_access_in extended permit tcp host 192.168.60.15 192.168.9.0 255.255.255.0 eq ftp
global (outside) 1 interface
nat (outside) 0 access-list outside_nat0_inbound outside
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (DMZ1,outside) <public ip> 192.168.60.10 netmask 255.255.255.255
static (DMZ1,inside) 192.168.60.10 192.168.60.10 netmask 255.255.255.255
static (DMZ1,inside) 192.168.60.15 192.168.60.15 netmask 255.255.255.255
static (DMZ1,outside) <public ip> 192.168.60.15 netmask 255.255.255.255
static (inside,DMZ1) 192.168.9.0 192.168.9.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group DMZ1_access_in in interface DMZ1
The ftp host private ip in the dmz is 192.168.60.15. Private hosts inside reside on 192.168.9.0. I have also allowed port 3389 to this server for testing, and this works fine.
When I view the live log, I do not see any errors, just the following when i attempt a connection from the inside:
6|Jan 05 2007 09:53:39|302014: Teardown TCP connection 67046549 for DMZ1:192.168.60.15/21 to inside:192.168.9.75/1420 duration 0:00:30 bytes 0 SYN Timeout
6|Jan 05 2007 09:53:30|302013: Built outbound TCP connection 67046634 for DMZ1:192.168.60.15/21 (192.168.60.15/21) to inside:192.168.9.75/1421 (192.168.9.75/1421)
6|Jan 05 2007 09:53:08|302013: Built outbound TCP connection 67046549 for DMZ1:192.168.60.15/21 (192.168.60.15/21) to inside:192.168.9.75/1420 (192.168.9.75/1420)
6|Jan 05 2007 09:53:08|302014: Teardown TCP connection 67046336 for DMZ1:192.168.60.15/21 to inside:192.168.9.75/1419 duration 0:00:30 bytes 0 SYN Timeout
Can someone please help?
TIA,
R
01-05-2007 06:44 AM
Do you have an ACL on your inside interface? Please post it. The DMZ1_access_in ACL is applied to the DMZ interface inbound to the ASA. That means you're allowing 192.168.60.15 to FTP to the internal network! I'm betting the inside ACL is blocking FTP to the DMZ.
01-05-2007 06:50 AM
thank you for your reply. the only other acl i have applied is :
access-group outside_access_in in interface outside
01-05-2007 08:57 AM
Are you running FTP in passive mode? Try entering:
'fixup protocol ftp'
01-05-2007 08:59 AM
First off, these two commands are unnecessary..
static (DMZ1,inside) 192.168.60.10 192.168.60.10 netmask 255.255.255.255
static (DMZ1,inside) 192.168.60.15 192.168.60.15 netmask 255.255.255.255
Second, if you have an access list on your inside interface, you need to allow traffic from the inside to the FTP server. If you do not do any egress filtering, then you should be able to hit the DMZ FTP server. Oh one other thing.. make sure you have the appropriate nat/global or static to allow the internal traffic to access the DMZ network.
Pls rate if this helps.
Cheers.
01-05-2007 09:05 AM
my understanding is that on the asa, ver 7.0 you no longer used the fixup command. that it was replaced with the following:
policy-map global_policy
class inspection_default
inspect ftp
is this wrong?
jwalker, can you please give me an example of the correct global/nat or static as i do not have egress filtering. i thought i understood this, but apparently i do not!
TIA,
r
01-05-2007 09:41 AM
The fixup command creates the policy for you. Your static for inside users going to DMZ is correct and you are not doing any egress filtering (ie an ACL applied to the inside interface).
01-05-2007 09:58 AM
thank you for your reply but the fixup protcol made no difference for me.
01-05-2007 12:17 PM
Can you post a complete (but sanitized) config?
01-05-2007 12:45 PM
not sure what your internal ranges are so to make a static but for a nat/global you would need..
global (dmz) 1 interface
here is a static example though that translates an inside range to itself on the dmz
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
01-05-2007 01:35 PM
01-06-2007 12:46 PM
Hi,
Try the command: ftp mode active
You should also take this one baby step at a time, allowing ip any any. Then try ping, if this works, then is a protocol/server issue (the command above might solve it).
Please rate if this helped.
Regards,
Daniel
01-08-2007 05:32 AM
I tried returning to ftp active mode, with no success. I allowed ping through and i can indeed ping the server. I am unsure of what else this could be. i know the service is running as I can ftp to the localhost if i am on the localhost. any other ideas?
thanks
01-08-2007 05:45 AM
Ok guys, I figured it out. I feel like such an idiot!! I had the ftp server on an XP machine, and guess what was on...yes, the xp firewall.
thanks for all the help.
01-09-2007 10:43 AM
:)))))
No worries, it's good now it works.
Cheers,
Daniel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide