FTP and DMZ

wbartholomew · ‎06-21-2002

Below is config for my pix I'm working with. However, I can't connect to FTP from the inside when allowing FTP ports both TCP and UDP. However, when I allow all ports (i.e. permit IP any any) it works fine. What gives?

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

ip address outside 12.163.44.4 255.255.255.0

ip address inside 192.168.1.253 255.255.255.0

ip address dmz 10.0.0.1 255.255.255.0

global (outside) 1 12.163.44.250-12.163.44.253 netmask 255.255.255.0

global (outside) 1 12.163.44.254 netmask 255.255.255.255

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

static (dmz,outside) 12.163.44.102 wadetest netmask 255.255.255.255 0 0

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

access-list 101 permit tcp any host wadetest eq ftp

access-list 101 permit tcp any host wadetest eq ftp-data

access-list 101 permit udp any host wadetest eq 20

access-list 101 permit udp any host wadetest eq 21

access-group 101 in interface outside

yusuff · ‎06-21-2002

If your FTP server is on the DMZ, and you are trying to reach it from inside, then add following

nat (inside) 2 192.168.1.0 255.255.255.0

global (dmz) 2 x.x.x.x

HTH

R/Yusuf

wbartholomew · ‎06-25-2002

That works. It will NAT the inside to the DMZ but now, how do I NAT to the Outside from the DMZ?

sachin · ‎07-18-2002

see NATing from DMZ to outside will requires only if you want to access outside i.e. internet from DMZ interface.if u want to give access to ftp server on DMZ from outside then combination of static and access-list commands is absolutely fine.