topic NATing to an FTP on DMZ in Network Security

NATing to an FTP on DMZ

Betterware — Mon, 11 Mar 2019 21:11:48 GMT

Please please please can someone help. I have an FTP server running on my DMZ. I can access it fine from another computer on the DMZ and am trying to open it up so I can conect via the 'net. After spending hours with google I have got as far as the following, but am out of ideas on how to progress.

ASDM 6.2

ASA 8.2

I have setup

Network objectName: FTPServer

IP: 192.168.2.10

Netmask: 255.255.255.255

Access rule

Interface: Outside

Source: any

Destination: FTPServer

Service tcp/ftp, tcp/ftp-data

Static NAT rule

Orij. Interface: DMZ

Orig. Source: FTPServer

Trans. Interface: Outside

Using interface IP Address

PAT Enabled

Orij. port 21

Trans port 21

Thankyou!

NATing to an FTP on DMZ

Anu M Chacko — Mon, 15 Aug 2011 14:30:41 GMT

Hi Carlos,

Could you check if "inspect ftp" is enabled on the firewall or not? It would be good if you could post the output of "sh run" here.

Let me know.

Regards,

Anu

NATing to an FTP on DMZ

Betterware — Mon, 15 Aug 2011 14:47:53 GMT

Thankyou, Amu for helping me. According to the sh run output ftp inspect is on.

Result of the command: "sh run"

: Saved

ASA Version 8.2(1)

hostname ciscoasa

domain-name default.domain.invalid

enable password qvxoIOSQ42Tst4.8 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.2.10 FTPServer description FTPServer

interface Vlan1

no forward interface Vlan3

nameif inside

security-level 100

ip address 200.0.0.206 255.255.255.0

ospf cost 10

interface Vlan2

nameif outside

security-level 0

ip address ##.##.##.## 255.255.255.252

ospf cost 10

interface Vlan3

nameif DMZ

security-level 5

ip address 192.168.2.1 255.255.255.0

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

switchport access vlan 3

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server ##.##.##.##

domain-name default.domain.invalid

dns server-group ####

name-server ##.##.##.##

same-security-traffic permit inter-interface

object-group icmp-type DM_INLINE_ICMP_1

icmp-object echo

icmp-object echo-reply

icmp-object time-exceeded

icmp-object unreachable

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq ftp-data

access-list inside_access_in remark ip out

access-list inside_access_in extended permit ip any any log disable

access-list inside_access_in remark http out

access-list inside_access_in extended permit tcp any any eq www log disable

access-list inside_access_in remark out to https

access-list inside_access_in extended permit tcp any any eq https log disable

access-list inside_access_in remark ping out

access-list inside_access_in extended permit icmp any any log disable

access-list outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1

access-list outside_access_in extended permit tcp any host FTPServer object-group DM_INLINE_TCP_1

access-list DMZ_access_in remark http out

access-list DMZ_access_in extended permit tcp any any eq www log disable

access-list DMZ_access_in remark ip out

access-list DMZ_access_in extended permit ip any any log disable

access-list DMZ_access_in remark ping out

access-list DMZ_access_in extended permit icmp any any log disable

access-list DMZ_access_in remark out to https

access-list DMZ_access_in extended permit tcp any any eq https log disable

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 1 192.168.2.0 255.255.255.0

static (DMZ,outside) tcp interface ftp FTPServer ftp netmask 255.255.255.255

static (outside,DMZ) tcp FTPServer ftp 0.0.0.0 ftp netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group DMZ_access_in in interface DMZ

route outside 0.0.0.0 0.0.0.0 ##.##.##.##1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 200.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password jbNBXUKHa1JUjwuD encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect ftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:f1ba46587fbf7c5c2e8c587b807f1227

: end

NATing to an FTP on DMZ

varrao — Mon, 15 Aug 2011 15:17:19 GMT

Hi Carlos,

I am not sure why you have this configuration:

static (outside,DMZ) tcp FTPServer ftp 0.0.0.0 ftp netmask 255.255.255.255

But you don't need this nat, so you can get rid of it and try again.

Thanks,

Varun

NATing to an FTP on DMZ

Betterware — Mon, 15 Aug 2011 15:41:42 GMT

Thanks Varun, that entry is history! Still now joy after testing again though.

NATing to an FTP on DMZ

Anu M Chacko — Mon, 15 Aug 2011 17:25:46 GMT

Hi Carlos,

Could you try removing "inspect ftp" and test?

Let me know.

Regards,

Anu

NATing to an FTP on DMZ

varrao — Mon, 15 Aug 2011 17:40:44 GMT

Carlos,

What type of ftp are you setting up???, is it active or passive??

Active FTP: client connects to server on port 21. Server uses port 20 to transfer data back to client.

Passive FTP: client connects to server on port 21. Server tells the client a port > 1024 to use for the data transfer. Client then makes a 2nd connection from its >1024 ports to the server > 1024 ports. In this scenario, the client does all the work, server does nothing.

There would be different config for both.

-Varun

NATing to an FTP on DMZ

Betterware — Tue, 16 Aug 2011 08:11:42 GMT

Thank you both...

Anu,

I have removed FTP inspect (relevent [sh run] output below) and tested again, no joy.

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

Varun,

I am using Filezilla Server here, and the passive modes are set to default. I'm under the impression that PASV is the way forwards but am open to suggestions of course.

Thanks again

NATing to an FTP on DMZ

Betterware — Tue, 16 Aug 2011 10:12:29 GMT

Anu

Quick update- removing inspect ftp trashed our usual batch file ftp communications, so this has been re-enabled and they work again.