ftp in dmz

rhltechie · ‎01-05-2007

Hi All,

I am fairly certain this is something that happens all the time and a very easy thing to do for most. I have never set up a dmz and am not the best at pix. I have an asa 5510 and I am trying to setup a ftp server in the dmz that i can reach from inside and outside. I have done the following:

access-list outside_access_in extended permit tcp any host <public ip> eq ftp

access-list DMZ1_access_in extended permit tcp host 192.168.60.15 192.168.9.0 255.255.255.0 eq ftp

global (outside) 1 interface

nat (outside) 0 access-list outside_nat0_inbound outside

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (DMZ1,outside) <public ip> 192.168.60.10 netmask 255.255.255.255

static (DMZ1,inside) 192.168.60.10 192.168.60.10 netmask 255.255.255.255

static (DMZ1,inside) 192.168.60.15 192.168.60.15 netmask 255.255.255.255

static (DMZ1,outside) <public ip> 192.168.60.15 netmask 255.255.255.255

static (inside,DMZ1) 192.168.9.0 192.168.9.0 netmask 255.255.255.0

access-group outside_access_in in interface outside

access-group DMZ1_access_in in interface DMZ1

The ftp host private ip in the dmz is 192.168.60.15. Private hosts inside reside on 192.168.9.0. I have also allowed port 3389 to this server for testing, and this works fine.

When I view the live log, I do not see any errors, just the following when i attempt a connection from the inside:

6|Jan 05 2007 09:53:39|302014: Teardown TCP connection 67046549 for DMZ1:192.168.60.15/21 to inside:192.168.9.75/1420 duration 0:00:30 bytes 0 SYN Timeout

6|Jan 05 2007 09:53:30|302013: Built outbound TCP connection 67046634 for DMZ1:192.168.60.15/21 (192.168.60.15/21) to inside:192.168.9.75/1421 (192.168.9.75/1421)

6|Jan 05 2007 09:53:08|302013: Built outbound TCP connection 67046549 for DMZ1:192.168.60.15/21 (192.168.60.15/21) to inside:192.168.9.75/1420 (192.168.9.75/1420)

6|Jan 05 2007 09:53:08|302014: Teardown TCP connection 67046336 for DMZ1:192.168.60.15/21 to inside:192.168.9.75/1419 duration 0:00:30 bytes 0 SYN Timeout

Can someone please help?

TIA,

R

Collin Clark · ‎01-05-2007

Do you have an ACL on your inside interface? Please post it. The DMZ1_access_in ACL is applied to the DMZ interface inbound to the ASA. That means you're allowing 192.168.60.15 to FTP to the internal network! I'm betting the inside ACL is blocking FTP to the DMZ.

rhltechie · ‎01-05-2007

thank you for your reply. the only other acl i have applied is :

access-group outside_access_in in interface outside

Collin Clark · ‎01-05-2007

Are you running FTP in passive mode? Try entering:

'fixup protocol ftp'

jwalker · ‎01-05-2007

First off, these two commands are unnecessary..

static (DMZ1,inside) 192.168.60.10 192.168.60.10 netmask 255.255.255.255

static (DMZ1,inside) 192.168.60.15 192.168.60.15 netmask 255.255.255.255

Second, if you have an access list on your inside interface, you need to allow traffic from the inside to the FTP server. If you do not do any egress filtering, then you should be able to hit the DMZ FTP server. Oh one other thing.. make sure you have the appropriate nat/global or static to allow the internal traffic to access the DMZ network.

Pls rate if this helps.

Cheers.

rhltechie · ‎01-05-2007

my understanding is that on the asa, ver 7.0 you no longer used the fixup command. that it was replaced with the following:

policy-map global_policy

class inspection_default

inspect ftp

is this wrong?

jwalker, can you please give me an example of the correct global/nat or static as i do not have egress filtering. i thought i understood this, but apparently i do not!

TIA,

r

Collin Clark · ‎01-05-2007

The fixup command creates the policy for you. Your static for inside users going to DMZ is correct and you are not doing any egress filtering (ie an ACL applied to the inside interface).

rhltechie · ‎01-05-2007

thank you for your reply but the fixup protcol made no difference for me.

Collin Clark · ‎01-05-2007

Can you post a complete (but sanitized) config?

jwalker · ‎01-05-2007

not sure what your internal ranges are so to make a static but for a nat/global you would need..

global (dmz) 1 interface

here is a static example though that translates an inside range to itself on the dmz

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

rhltechie · ‎01-05-2007

here ya go!

5220 · ‎01-06-2007

Hi,

Try the command: ftp mode active

You should also take this one baby step at a time, allowing ip any any. Then try ping, if this works, then is a protocol/server issue (the command above might solve it).

Please rate if this helped.

Regards,

Daniel

rhltechie · ‎01-08-2007

I tried returning to ftp active mode, with no success. I allowed ping through and i can indeed ping the server. I am unsure of what else this could be. i know the service is running as I can ftp to the localhost if i am on the localhost. any other ideas?

thanks

rhltechie · ‎01-08-2007

Ok guys, I figured it out. I feel like such an idiot!! I had the ftp server on an XP machine, and guess what was on...yes, the xp firewall.

thanks for all the help.

5220 · ‎01-09-2007

:)))))

No worries, it's good now it works.

Cheers,

Daniel