Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FTP configuration for ASA

i have public ip address A.B.C.D for ftp. i want to place my FTP server in DMZ. I have configure ASA with the following configuration.

static (DMZ,outside) A.B.C.D netmask

access-list ftpserver extended permit tcp any host A.B.C.D eq ftp

access-group webserver in interface outside

global (outside) 1 interface

global (DMZ) 1 interface

nat (inside) 1 0 0

The problem with the above configuration is that my inside host communicate with FTP server but the host on internet were not communicating with the live ip address. please help me in this regard

New Member

Re: FTP configuration for ASA

Hi, I do not see ACL "ftpserver" mapped to outside interface which should be like

access-group ftpserver in interface outside


New Member

Re: FTP configuration for ASA

I'd also suggest that outside to DMZ ACL be made with name "Outside_access_in" and this be mapped to outside interface like

access-group Outside_access_in in interface Outside

This should help you keep adding firewall rules for Outside-DMZ traffic while the ACL remains mapped to Outside interface.

New Member

Re: FTP configuration for ASA

i have configured FTP as per above instructions.

now the problem is that my inside host access ftp with the private ip address of DMZ. and if i want them to access with the public address they will not. Any other host on the internet are accessing FTp with the public ip address but not the inside host

Re: FTP configuration for ASA

of course the inside host cant access the ftp through the public address because it is establishing the connection from the inside

and the nat statment u have map the public address for dmz network only

New Member

Re: FTP configuration for ASA

how should i do this ?

please help me.


Re: FTP configuration for ASA

why u want the inside users to use the public ip while they can reach it through the private one ?

New Member

Re: FTP configuration for ASA


i just want to check if the FTP server is working from outside or not.

Re: FTP configuration for ASA

ok use any outside connection like internet cafe mobile

becasue if u dont need it u dont need to put ur self in complex issue this think a bit complex

to make sure ur config good u need to have

static (dmz, outside) a.a.a.a b.b.b.b netmask


static (dmz, outside) tcp a.a.a.a ftp b.b.b.b ftp netmask

while a.a.a.a the public ip

accesslist 100 permit tcp any host a.a.a.a eq ftp

access-group in interface outside

also make sure u have the ftp inspection enabled on the defualt inspection policy

good luck

if helpful Rate