https://community.cisco.com/t5/network-security/ftp/m-p/1599523#M591925 <HTML><HEAD></HEAD><BODY><P>I can get to the FTP Internally, I can ping the FTP from the ASA.&nbsp; I can't get the external IP to hit the internal via the internet.&nbsp; This one is bugging me.&nbsp; I run a packet trace from the External IP to the ASA and the packet succeeds.&nbsp; The Gateway of the FTP is the ASA IP.&nbsp; The services are running because I can get the FTP site in the DMZ zone.&nbsp; Any othe ideas?</P></BODY></HTML> Mon, 14 Feb 2011 16:48:19 GMT Lewis_Cipher 2011-02-14T16:48:19Z https://community.cisco.com/t5/network-security/ftp/m-p/1599513#M591894 <P> I am trying to NAT my FTP to the outside.&nbsp; I can't get to that IP.&nbsp; Am I missing something?&nbsp; I have FTP allowed in access rules. </P><P></P><P>For NAT</P><P></P><P>static NAT</P><P></P><P>inside&nbsp; - to the internal IP</P><P>Outside - external IP</P><P></P><P>I can ping the server from firewall internally.&nbsp; What else can I do to test?</P> Mon, 11 Mar 2019 19:49:37 GMT https://community.cisco.com/t5/network-security/ftp/m-p/1599513#M591894 Lewis_Cipher 2019-03-11T19:49:37Z https://community.cisco.com/t5/network-security/ftp/m-p/1599514#M591897 <HTML><HEAD></HEAD><BODY><P>are you trying a static NAT for your FTP server?</P><P></P><P>For example:</P><P>FTP 192.168.1.10</P><P></P><P>NATed IP 66.12.66.10</P><P></P><P>stat (inside,outside) 66.12.66.10 192.168.1.10</P><P></P><P>Is that what you are trying?</P></BODY></HTML> Fri, 11 Feb 2011 16:17:27 GMT https://community.cisco.com/t5/network-security/ftp/m-p/1599514#M591897 PAUL GILBERT ARIAS 2011-02-11T16:17:27Z https://community.cisco.com/t5/network-security/ftp/m-p/1599515#M591902 <HTML><HEAD></HEAD><BODY><P>yes, do I have all the info correct?</P></BODY></HTML> Fri, 11 Feb 2011 16:44:38 GMT https://community.cisco.com/t5/network-security/ftp/m-p/1599515#M591902 Lewis_Cipher 2011-02-11T16:44:38Z https://community.cisco.com/t5/network-security/ftp/m-p/1599516#M591907 <HTML><HEAD></HEAD><BODY><P>if you have a similar static NAT it seems correct. Are there any ACLs on the inside interface that could prevent the traffic from going out. Is the NATed IP on your range of outside IPs?</P><P></P><P>If you can send the config it would be great.</P></BODY></HTML> Fri, 11 Feb 2011 16:52:06 GMT https://community.cisco.com/t5/network-security/ftp/m-p/1599516#M591907 PAUL GILBERT ARIAS 2011-02-11T16:52:06Z https://community.cisco.com/t5/network-security/ftp/m-p/1599517#M591910 <HTML><HEAD></HEAD><BODY><P>sent via private message....</P></BODY></HTML> Fri, 11 Feb 2011 18:11:16 GMT https://community.cisco.com/t5/network-security/ftp/m-p/1599517#M591910 Lewis_Cipher 2011-02-11T18:11:16Z https://community.cisco.com/t5/network-security/ftp/m-p/1599518#M591915 <HTML><HEAD></HEAD><BODY><P>thanks for the config. If you are trying to allow FTP traffic from the outside to the inside it won't work since you are denying the traffic in the first two lines of your access-l outside_access_in.</P><P></P><P>Is this the test that you are trying? FTP to the SGA_Website_NAT address coming from the outside? </P><TITLE></TITLE></BODY></HTML> Fri, 11 Feb 2011 19:32:04 GMT https://community.cisco.com/t5/network-security/ftp/m-p/1599518#M591915 PAUL GILBERT ARIAS 2011-02-11T19:32:04Z https://community.cisco.com/t5/network-security/ftp/m-p/1599519#M591918 <HTML><HEAD></HEAD><BODY><P>Hey Paul,</P><P></P><P>The Deny is on purpose unti l can get it to work I have it on deny.&nbsp; Yes the NAT is SGA_Website_NAT.&nbsp; It is called website becasue we got rid of that and I changed the nat for our FTP server now.&nbsp; I can get to the website internally, but not externally, when I try the NAT ip address on the outside...</P></BODY></HTML> Fri, 11 Feb 2011 20:39:12 GMT https://community.cisco.com/t5/network-security/ftp/m-p/1599519#M591918 Lewis_Cipher 2011-02-11T20:39:12Z https://community.cisco.com/t5/network-security/ftp/m-p/1599520#M591920 <HTML><HEAD></HEAD><BODY><P>do you see hitcounts on the ACL after the testing? If there are not hitcounts that means that the traffic is not getting to your ASA. </P></BODY></HTML> Fri, 11 Feb 2011 20:44:16 GMT https://community.cisco.com/t5/network-security/ftp/m-p/1599520#M591920 PAUL GILBERT ARIAS 2011-02-11T20:44:16Z https://community.cisco.com/t5/network-security/ftp/m-p/1599521#M591922 <HTML><HEAD></HEAD><BODY><P>It is weird becasue I do see hit counts, but can't get to address.</P></BODY></HTML> Fri, 11 Feb 2011 21:22:22 GMT https://community.cisco.com/t5/network-security/ftp/m-p/1599521#M591922 Lewis_Cipher 2011-02-11T21:22:22Z https://community.cisco.com/t5/network-security/ftp/m-p/1599522#M591923 <HTML><HEAD></HEAD><BODY><P>Your FTP server has a default gateway? It should be your ASA 10.1.101.1. Make sure the FTP service is up.</P><TITLE></TITLE></BODY></HTML> Fri, 11 Feb 2011 21:29:57 GMT https://community.cisco.com/t5/network-security/ftp/m-p/1599522#M591923 PAUL GILBERT ARIAS 2011-02-11T21:29:57Z https://community.cisco.com/t5/network-security/ftp/m-p/1599523#M591925 <HTML><HEAD></HEAD><BODY><P>I can get to the FTP Internally, I can ping the FTP from the ASA.&nbsp; I can't get the external IP to hit the internal via the internet.&nbsp; This one is bugging me.&nbsp; I run a packet trace from the External IP to the ASA and the packet succeeds.&nbsp; The Gateway of the FTP is the ASA IP.&nbsp; The services are running because I can get the FTP site in the DMZ zone.&nbsp; Any othe ideas?</P></BODY></HTML> Mon, 14 Feb 2011 16:48:19 GMT https://community.cisco.com/t5/network-security/ftp/m-p/1599523#M591925 Lewis_Cipher 2011-02-14T16:48:19Z https://community.cisco.com/t5/network-security/ftp/m-p/1599524#M591926 <HTML><HEAD></HEAD><BODY><P>do you have any other filtering device such as an IPS?</P><P></P><P>We could set some captures on the ASA inside interface to see if the packet returns to the ASA and how it returns.</P></BODY></HTML> Mon, 14 Feb 2011 16:54:34 GMT https://community.cisco.com/t5/network-security/ftp/m-p/1599524#M591926 PAUL GILBERT ARIAS 2011-02-14T16:54:34Z https://community.cisco.com/t5/network-security/ftp/m-p/1599525#M591927 <HTML><HEAD></HEAD><BODY><P>I am getting a failure when packet tracing from ASA to the FTP server on inside interface.&nbsp; Do I need to allow this internally...&nbsp; Any Less secure networks are allowed IP...</P></BODY></HTML> Mon, 14 Feb 2011 17:07:57 GMT https://community.cisco.com/t5/network-security/ftp/m-p/1599525#M591927 Lewis_Cipher 2011-02-14T17:07:57Z https://community.cisco.com/t5/network-security/ftp/m-p/1599526#M591928 <HTML><HEAD></HEAD><BODY><P>No IPS</P></BODY></HTML> Mon, 14 Feb 2011 17:09:53 GMT https://community.cisco.com/t5/network-security/ftp/m-p/1599526#M591928 Lewis_Cipher 2011-02-14T17:09:53Z https://community.cisco.com/t5/network-security/ftp/m-p/1599527#M591929 <HTML><HEAD></HEAD><BODY><P>I am checking to see if the Router is open to FTP... I will post back back in a few.</P></BODY></HTML> Mon, 14 Feb 2011 20:54:57 GMT https://community.cisco.com/t5/network-security/ftp/m-p/1599527#M591929 Lewis_Cipher 2011-02-14T20:54:57Z https://community.cisco.com/t5/network-security/ftp/m-p/1599528#M591930 <HTML><HEAD></HEAD><BODY><P><TITLE></TITLE></P><P class="p1">if the traffic is coming from outside to inside you just need the ACLs on the outside. Also make sure you have the inspect ftp on your policy map</P><P></P></BODY></HTML> Mon, 14 Feb 2011 20:59:33 GMT https://community.cisco.com/t5/network-security/ftp/m-p/1599528#M591930 PAUL GILBERT ARIAS 2011-02-14T20:59:33Z https://community.cisco.com/t5/network-security/ftp/m-p/1599529#M591931 <HTML><HEAD></HEAD><BODY><P>Inspect FTP on Policy Map?</P></BODY></HTML> Tue, 15 Feb 2011 15:21:28 GMT https://community.cisco.com/t5/network-security/ftp/m-p/1599529#M591931 Lewis_Cipher 2011-02-15T15:21:28Z https://community.cisco.com/t5/network-security/ftp/m-p/1599530#M591932 <HTML><HEAD></HEAD><BODY><P>yes, for example:</P><P></P><P></P><P></P><P>policy-map global_policy</P><P> class inspection_default</P><P><SPAN style="color: #ff0000;">&nbsp; inspect ftp </SPAN></P><P>!</P><P></P><P>service-policy global_policy global</P><DIV> </DIV><P></P><P></P><DIV> </DIV><P></P></BODY></HTML> Tue, 15 Feb 2011 15:25:19 GMT https://community.cisco.com/t5/network-security/ftp/m-p/1599530#M591932 PAUL GILBERT ARIAS 2011-02-15T15:25:19Z https://community.cisco.com/t5/network-security/ftp/m-p/1599531#M591933 <HTML><HEAD></HEAD><BODY><P>Lewis,</P><P></P><P>Are you using ports 20 and 21 for FTP?</P><P></P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml">http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807ee585.shtml</A></P></BODY></HTML> Tue, 15 Feb 2011 16:57:09 GMT https://community.cisco.com/t5/network-security/ftp/m-p/1599531#M591933 ciscona728 2011-02-15T16:57:09Z https://community.cisco.com/t5/network-security/ftp/m-p/1599532#M591934 <HTML><HEAD></HEAD><BODY><DIV class="results"><P class="error">FTP test I get this error????</P><P class="error"></P><P class="error">Error: FEAT response lines must begin with a single space character</P></DIV></BODY></HTML> Wed, 16 Feb 2011 14:40:11 GMT https://community.cisco.com/t5/network-security/ftp/m-p/1599532#M591934 Lewis_Cipher 2011-02-16T14:40:11Z