Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1698
Views
0
Helpful
6
Replies

Allowing FTP through firewall to internal ftp server.

Emil Hz
Level 1
Level 1

‎09-19-2016 08:00 AM - edited ‎03-12-2019 01:17 AM

Hey all, I have been trying to figure this out today, I have not gotten any further, I am a complete newbie to using the ASA firewall.

On one of our virtual servers in the company, I have set up an FTP server with ISS. I can access it by going through ftp://internal-ip-of-the-server.

I am trying to set up the firewall to allow outside connections to access the FTP server on the virtual server, but without luck, every time I come across a question and an answer on this site (And I have been through a lot) There are long config files that I have no idea what to do with.

I am connecting to the firewall with ASDM.

ASA Version 9.1(2)

ASDM Version 7.1(3)

Device Type ASA 5515

I followed this guide, but I still cannot access the FTP server.

http://www.petenetlive.com/KB/Article/0000772

Again very sorry for my noobish question, I am, as I mentioned, VERY new to this.

Thank you so much for your answers in advance, any help is greatly appreciated.

Labels:
0 Helpful
6 Replies 6

Luke Oxley
Level 1
Level 1

‎09-19-2016 08:12 AM

[@ech@eaea.dk],

Thanks for your post - not to worry, the ASA is a complicated piece of equipment. I will get this sorted for you.
What you need to achieve public access to your internal FTP server is a NAT statement and an access control list permitting the traffic. Potentially as little as two lines of configuration, that easy.
I would recommend that you revert any changes you've made on the ASA thus far so we can start afresh. Please let me know what version of ASA your appliance is running, the IP address of the internal FTP server and post a sanitised configuration up. I'll write up and tailor the needed commands to your environment and explain them in detail for you.
I look forward to hearing back.

Kind regards,
Luke

Please rate helpful posts and mark correct answers.
0 Helpful

Emil Hz
Level 1
Level 1
In response to Luke Oxley

‎09-20-2016 03:49 AM

Hello Luke, thank you so much for taking your time to help me, it is greatly appreciated.

I have reverted the changes I made following the guide, however there are still a lot of user-made configurations on the firewall, from the previous IT guy.

The ASA is version 9.1(2) or thats what i says in the asdm.

The Ip of the internal ftp server is 192.168.15.5, the firewall is at 192.168.15.1.

I would like to post the config file, but I can't for the life of me figure out how to locate it.

Again thank you so much for wanting to help me, I spent way too much time yesterday trying to make it work.

Best

0 Helpful

Luke Oxley
Level 1
Level 1
In response to Emil Hz

‎09-21-2016 10:38 PM

Hey [@ech@eaea.dk],

Apologies for the late response. It's my pleasure in helping you. To get the configuration file, you'll need to SSH to the ASA, login and then enter privileged exec mode, otherwise known as enable. At the CLI prompt, run the command "show run", then copy and paste the output that it prints in to this forum. Please be sure to omit any passwords or other sensitive data.
This will give me a full view of how your environment hangs together. I will be able to write the correct configuration you need to get this working for you.
I look forward to hearing back.

Kind regards,
Luke

Please rate helpful posts and mark correct answers.
0 Helpful

Emil Hz
Level 1
Level 1
In response to Luke Oxley

‎10-20-2016 04:36 AM

Hello Luke, again thanks for wanting to help me, I am now back in the office.

I couldn't access the ASA through SSH, but I went into the ASDM>Tools>Command Line Interface and ran the 'show run' command.

Here is the result, I have omitted encrypted passwords and IP addresses.

Result of the command: "show run";

Will I need to add something to the config ? or can I run commands to add something through the command line?

Best

0 Helpful

Emil Hz
Level 1
Level 1
In response to Luke Oxley

‎09-20-2016 06:30 AM

In addition to the other post, I have referred to the ports 5000-5100 in the ISS for passive connections from the  external firewall.

0 Helpful

vesiclife1
Level 1
Level 1
In response to Luke Oxley

‎11-10-2016 03:49 PM

Hi Luke. 

I am running an ASA 5505 V8.2 

I need to allow FTP access to my FTP in the DMZ from the outside network.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card