Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3799
Views
0
Helpful
7
Replies

allow FTP site

Go to solution
1salvarez
Level 1
Level 1

‎11-30-2010 12:00 PM - edited ‎03-11-2019 12:16 PM

Noob here. I want to allow an ftp site for our users. I know how to do it via ASDM but have been wanting to use CLI.Looked online but haven't been able to find what i'm looking for.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎11-30-2010 12:21 PM

Hi,

To allow FTP traffic you need a static NAT rule to allow access to the FTP server and an ACL allowing the ports.

i.e.

Let's say your internal FTP is 10.1.1.1 and the public IP will be 200.1.1.1

So, you requiere a static translation rule (ASDM or CLI) and an ACL permitting FTP from any source to the public IP.

If you want to do it via CLI you can post the following:

sh run static

sh run access-group

sh run access-list NAME   --> change NAME for the name of the ACL applied to the outside interface

Federico.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎11-30-2010 12:21 PM

Hi,

To allow FTP traffic you need a static NAT rule to allow access to the FTP server and an ACL allowing the ports.

i.e.

Let's say your internal FTP is 10.1.1.1 and the public IP will be 200.1.1.1

So, you requiere a static translation rule (ASDM or CLI) and an ACL permitting FTP from any source to the public IP.

If you want to do it via CLI you can post the following:

sh run static

sh run access-group

sh run access-list NAME   --> change NAME for the name of the ACL applied to the outside interface

Federico.

0 Helpful

Go to solution
1salvarez
Level 1
Level 1
In response to Federico Coto Fajardo

‎12-02-2010 11:50 AM

Thanx

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎12-02-2010 11:56 AM

What is the IP of the FTP server behind the ASA?

Adding to the list you will need:

static (in,out) tcp PUBLIC_IP 21 PRIVATE_IP 21

access-list outside_access_in permit tcp any host PUBLIC_IP eq 21

Federico.

0 Helpful

Go to solution
1salvarez
Level 1
Level 1
In response to Federico Coto Fajardo

‎12-02-2010 12:29 PM

We dont have FTP server. This is for ftp sites that we need to access

. For example thru ASDM to allow acces to an FTP site I would go to Configuration>Firewall>Objects>Network Objects/Groups> and I'll add the IP and name.

See attached.

76302-2010-12-02_122930.JPG
Preview file
216 KB
0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to 1salvarez

‎12-02-2010 12:58 PM

If it's to allow outbound FTP access to an external server, you should add the IP of the server to the object-group.

If from an internal computer you try to connect to this new FTP server what happen?

Can you reach it via telnet x.x.x.x 2?

Federico.

0 Helpful

Go to solution
1salvarez
Level 1
Level 1
In response to cadet alain

‎12-03-2010 09:43 AM

Thanx for your help guys. That doc looks like what

I am looking for.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top