Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
611
Views
0
Helpful
3
Replies

Problem port forwarding on ASA 5505

mesystems
Level 1
Level 1

‎03-28-2009 02:53 PM - edited ‎03-11-2019 08:11 AM

Hello,

I have a ftp-server running on 192.168.1.170 with port 21 and I want to do port forwarding in my Cisco ASA 5505.

The outside ip-address is 10.1.1.2 but I can't make a connection from a client with ip-address 10.1.1.1.

I did the same with a USRobotics router and it works as a charm. So the problem must be in the Cisco configuration.

My config:

: Saved

: Written by enable_15 at 12:57:10.202 UTC Sat Mar 28 2009

!

ASA Version 7.2(3)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.1.1.2 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in extended permit tcp any interface outside eq ftp-data

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface ftp 192.168.1.170 ftp netmask 255.255.255.255

static (inside,outside) tcp interface ftp-data 192.168.1.170 ftp netmask 255.255.255.255

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:08bbfacb3de9a0ecc718793d99d3effc

: end

kind regards,

ME

Labels:
0 Helpful
3 Replies 3

vikram_anumukonda
Level 3
Level 3

‎03-28-2009 07:10 PM

1) issue the below command

fixup protocol ftp 21 ( I read that this is necessary when you are natting the FTP-Server ip address, This will not show up in your running-config )

2) you don't need to permit ftp-data in your access-list applied to outside interface , as the firewall inspects ftp and dynamically opens the ports needed for the data channel.

so, the below ACE is not needed

access-list outside_access_in extended permit tcp any interface outside eq ftp-data

and also the destination address in your ACE should be an ip-address (host 10.1.1.20) isn't it ??

3) the below static is wrong, you are forwarding ftp-data to ftp ,

static (inside,outside) tcp interface ftp-data 192.168.1.170 ftp( should be ftp-data )netmask 255.255.255.255

if it doesn't work with the above static, I suggest you do a one-one static instead of the existing 2 without port-forwarding

static (inside,outside) tcp interface 192.168.1.170 netmask 255.255.255.255

HTH

Vikram

0 Helpful

sdoremus33
Level 3
Level 3

‎03-28-2009 07:16 PM

You could try this

1.Create ACL

access-list outside_access_in permit tcp any host "ip address of outside interface' eg ftp

access-list outside_access_in permit tcp any host "ip address of outside interface' eg ftp-data

Apply to outside interface in the inbound direction

access-group outside_access_in in interface outside

2. Add static statement

static (inside,outside) tcp interface ftp 192.168.1.170 ftp netmask 255.255.255.255

static (inside,outside) tcp interface ftp-data 192.168.1.170 ftp netmask 255.255.255.255 0 0

access-list outside_access_in extended permit tcp any interface outside eq ftp-data 0 0

0 Helpful

Yudong Wu
Level 7
Level 7

‎03-28-2009 07:39 PM

try the following

1. remove "static" and "acl entry" related to ftp-data. since "inspect ftp" has been enabled, system will open port 20 automatically.

2. use IP address instead of "interface" in both ACL and static NAT config and try it again.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card