Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1423
Views
0
Helpful
3
Replies

ASA 5505 dmz nat problem

lauri.ilves
Level 1
Level 1

‎09-15-2011 03:54 AM - edited ‎03-11-2019 02:25 PM

Hi,

I have a CentOS 5.7 VSFTP server behind of a Cisco ASA 5505 (dmz network) which is doing NAT. Clients outside the firewall cannot access the server with passive ftp.   They initiate a ftp session and as soon as the ftp client issues the  pasv command, their connection is dropped because my VSFTP server responds with the private ip (10.101.101.10) of the server, not the public ip. This behaviour is only with newer 8.3x and 8.4x bootimages, 8.2x is working fine and VSFTP responds allways with public ip!

Centos server has ip_conntrack_ftp kernel module loaded so it's working ok.

Here is 8.2x nat rule:

static (dmz,outside) 109.204.x.x 10.101.101.10 netmask 255.255.255.255

Here is 8.3x/8.4x nat rule:

object network dmz_ftpserver

host 10.101.101.10

nat (dmz,outside) static 109.204.x.x

Access rule:

access-list outside_access_in extended permit tcp any object dmz_ftpserver eq ftp

It doesn't make difference even if I open all ports (IP).

This passive ftp problem is really strange, because NAT is overall working right if I'm testing other protocols?!?

Can anyone help me please? I'm really stuck with this problem!

Labels:
0 Helpful
3 Replies 3

lauri.ilves
Level 1
Level 1

‎09-15-2011 10:13 AM

I solved problem myself, now it's working! I found Cisco document:

"Getting Started With Application Layer Protocol Inspection"

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/inspect_overview.html

I'm still wondering why I have to make these configurations with 8.3x and 8.4x bootimages? 8.2x and previous bootimages "worked out of the box", I haven't done these configurations ever before?

0 Helpful

varrao
Level 10
Level 10
In response to lauri.ilves

‎09-15-2011 11:40 AM

Can you tell me the config that you added???

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

lauri.ilves
Level 1
Level 1
In response to lauri.ilves

‎09-15-2011 11:47 PM

class-map inspection_default

match default-inspection-traffic

class-map new_inspection

match access-list ftp_inspect

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

policy-map ftp

class class-default

  inspect ftp

!

service-policy global_policy global

service-policy ftp interface dmz

access-list ftp_inspect extended permit tcp any any eq ftp

I added also those other inspect definitions even though only "ftp" is necessary. Please read the configuration guide http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/inspect_overview.html


0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card