Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ftp client behind ASA 5520 accessing the ftp server

Dear all,

in one of my client site, i tried to access the ftp server hosted in USA from the internal network behind the ASA 5520. Please find below the script of the firewall.The internal ftp client is connected to the inside ISA server and the ISA server outside is connected to DMZ segment.

What do i need to know is that is there any access-list entries to be added in the ASA to make the ftp client to connect to the server that is outsde the ASA.

nat-control

global (outside) 2 interface

global (outside) 1 222.20.20.99

nat (inside) 1 172.16.16.12 255.255.255.255

nat (inside) 1 172.16.16.18 255.255.255.255

nat (inside) 1 172.16.16.200 255.255.255.255

nat (DMZ) 2 192.168.1.18 255.255.255.255

static (inside,outside) 222.20.20.100 172.16.16.18 netmask 255.255.255.255

access-group 111 in interface outside

access-list 111 extended permit tcp any host 222.20.20.100 eq smtp

access-list 111 extended permit tcp any host 222.20.20.100 eq www

access-list 111 extended permit tcp any host 222.20.20.100 eq https

access-list 111 extended permit icmp any any

note: here the address 192.168.1.18 is the address of ISA server outside interface.

4 REPLIES
New Member

Re: ftp client behind ASA 5520 accessing the ftp server

HI

Remember, by default all traffic will traverse from High sec level to low sec level, hence all outbound traffic is fine.. but return traffic needs to be allowed..

hence your FTP initiations will go through from inside but the replies to finalise the setup of the connection will fail since there is no access-list allowing the replies..

Im guessing 222.20.20.100 is your extenal ISA.

i dont get why inside ISA is goin directly outside when you have an ISA in DMZ... i would have thought that Inside ISA will talk to Outside ISA , hence the extra ISA . as security .. which would mean u dont pat anything inside to outside.. just inside to DMZ .. and DMZ to outside..

anways..

I would recommend you try adding this

access-list 111 extended permit tcp any host 222.20.20.100 eq ftp..

but this would allow ftp accces to the outside ISA only..

if u realise . all the ACLs u added are applied only for the external ISA..

so am not sure if ur inside hosts anything will work fine unless you configure internal ISA to route to external ISA.. in which case i dont see access list for DMZ...

i guess you have your own ideas abt the ASA implementation.. i recommend you play with the ACL to allow FTP and make sure you have

Inspect FTP in your default Policy Map. make sure this is there first..

all the best

Vic

Re: ftp client behind ASA 5520 accessing the ftp server

Hi .. You don't need to allow incoming traffic in response to an outgoing call from an higher interface as the PIX and ASA keeps track on the connection on its statefull table. Agree about the inspect portion ( fixup on Pix before version 7.0 ) has to define ftp kn order for it to work accordingly

Re: ftp client behind ASA 5520 accessing the ftp server

is there any access-list applied to the DMZ interface ..?

New Member

Re: ftp client behind ASA 5520 accessing the ftp server

Dear Fernando,

I am sorry for the delay in responding because I had been away on project

There is no access-list applied in DMZ.

ftp access is fine from ISA server itself but failed from inside the ISA i.e inside network access to FTP.

Could you explain once again about FIXUP command.

Thanks

swamy

193
Views
10
Helpful
4
Replies