Firewall FTP Problem

wasiimcisco — Mon, 11 Mar 2019 17:06:28 GMT

i have firewall ASA 8.0(4). My FTP server is located in DMZ side and one FTP server is located on inside network.

172.16.11.0 DMZ

192.168.80.0 Inside

From DMZ I can do the FTP and everything but from inside I am not able to do the FTP to DMZ server. Though Ping and remote

desktop i can do.

Below is the configuration of my firewall.

interface GigabitEthernet0/1
mac-address 000c.f542.4abc standby 020c.f542.4abc
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.224 standby 192.168.0.2
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3.1
mac-address 000c.f342.4abc standby 020c.f342.4abc
nameif serverdmz
security-level 90
ip address 172.16.11.1 255.255.255.0 standby 172.16.11.5

access-list acl-in extended permit ip host 192.168.80.89 any

static (inside,serverdmz) 192.168.80.89 192.168.80.89 netmask 255.255.255.255

access-list acl-serverdmz extended permit ip host 172.16.11.108 any

access-list aclnat_serverdmz extended permit ip any 172.16.11.0 255.255.255.0

nat (inside) 2 access-list aclnat_cards
nat (inside) 3 access-list aclnat_serverdmz
nat (inside) 1 0.0.0.0 0.0.0.0
nat (serverdmz) 1 172.16.11.0 255.255.255.0

global (partners) 1 172.16.15.253 netmask 255.255.255.255
global (serverdmz) 1 172.16.11.254
global (serverdmz) 3 interface
global (cardsdmz) 2 interface

ENOCDC-FW01/Rack1# show conn address 172.16.11.108
1933 in use, 15723 most used
TCP serverdmz 172.16.11.108:3389 inside 192.168.80.89:2367, idle 0:00:31, bytes 1798427, flags UIO

from dmz to inside everything is working fine but from inside I am not able to do the FTP on DMZ server. though the FTP server is working fine locally.

Please help me out how to find a solution for this.

Re: Firewall FTP Problem

sachinraja — Tue, 09 Feb 2010 16:52:12 GMT

Hi Wasim

Is 172.16.11.108 the FTP server in DMZ ? Are you accessing it from 192.168.80.89 or any other PC from the inside network 192.168.80.0/24 ? I see the ACL

access-list acl-in extended permit ip host 192.168.80.89 any

This will allow only traffic from 192.168.80.89 to go from inside interface.. If you are trying to FTP from any other IP you might need to add another ACL similar to the one below

access-list acl-in extended permit tcp 192.168.80.0 255.255.255.0 host 172.16.11.108 eq ftp

or you can probably allow ip from 192.168.80.0/24 to 172.16.11.108 (for testing)

You might also need to build a static entry for the FTP server to inside , just as the way you did for the inside FTP server

static (serverdmz,inside) 172.16.11.108 172.16.11.108 netmask 255.255.255.255

or you can also define a nat 0 for traffic going from inside network 192.168.80.0/24 to the DMZ segment

nat (inside) 0 access-list 111

access-list 111 permit ip 192.168.80.0 0.0.0.255 172.16.11.0 0.0.0.255

You would be able to access the FTP server once you make these changes

Hope this helps.. all the best

Raj

topic Re: Firewall FTP Problem in Network Security

Firewall FTP Problem

Re: Firewall FTP Problem