Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

FTP and DMZ

Below is config for my pix I'm working with. However, I can't connect to FTP from the inside when allowing FTP ports both TCP and UDP. However, when I allow all ports (i.e. permit IP any any) it works fine. What gives?

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

ip address outside 12.163.44.4 255.255.255.0

ip address inside 192.168.1.253 255.255.255.0

ip address dmz 10.0.0.1 255.255.255.0

global (outside) 1 12.163.44.250-12.163.44.253 netmask 255.255.255.0

global (outside) 1 12.163.44.254 netmask 255.255.255.255

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

static (dmz,outside) 12.163.44.102 wadetest netmask 255.255.255.255 0 0

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

access-list 101 permit tcp any host wadetest eq ftp

access-list 101 permit tcp any host wadetest eq ftp-data

access-list 101 permit udp any host wadetest eq 20

access-list 101 permit udp any host wadetest eq 21

access-group 101 in interface outside

3 REPLIES
Cisco Employee

Re: FTP and DMZ

If your FTP server is on the DMZ, and you are trying to reach it from inside, then add following

nat (inside) 2 192.168.1.0 255.255.255.0

global (dmz) 2 x.x.x.x

HTH

R/Yusuf

Community Member

Re: FTP and DMZ

That works. It will NAT the inside to the DMZ but now, how do I NAT to the Outside from the DMZ?

Community Member

Re: FTP and DMZ

see NATing from DMZ to outside will requires only if you want to access outside i.e. internet from DMZ interface.if u want to give access to ftp server on DMZ from outside then combination of static and access-list commands is absolutely fine.

726
Views
0
Helpful
3
Replies
CreatePlease to create content