Solved: ASA 5510 DMZ Nat question - Page 2

gtorresjr77 · ‎10-23-2013

Hi All,

first time posting.

so my goal is to have an FTP Server on the DMZ and be able to access it using the outside interface (which is currently just configured as 10.2.2.2) I tried adding the NAT rule using asdm and CLI but it won't take. What am I missing that i can't NAT

static (dmz, outside) tcp interface 21 172.20.10.5 21 netmask 255.255.255.255 tcp 0 0 udp 0

here is the current config

Thanks

ASA Version 8.2(1)

!

interface Ethernet0/0

nameif outside

security-level 0

no ip address

!

interface Ethernet0/1

nameif inside

security-level 100

no ip address

!

interface Ethernet0/1.1

vlan 1

nameif inside1

security-level 100

ip address 10.20.10.1 255.255.255.0

!

interface Ethernet0/1.3

vlan 3

nameif inside3

security-level 100

ip address 10.40.20.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 172.20.10.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa821-k8.bin

ftp mode passive

object-group network inside-subnet

network-object 10.20.10.0 255.255.255.0

network-object 10.40.10.0 255.255.255.0

object-group network FTPServer

network-object 172.20.10.5 255.255.255.255

object-group network FTPServer-External

network-object 10.2.2.2 255.255.255.255

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

mtu dmz 1500

mtu inside1 1500

mtu inside3 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

global (outside) 1 10.2.2.2

nat (dmz) 1 172.20.10.0 255.255.255.0

nat (inside1) 1 10.20.10.0 255.255.255.0

nat (inside3) 1 10.40.20.0 255.255.255.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

gtorresjr77 · ‎10-31-2013

ok thanks for that info.

Jouni Forss · ‎10-31-2013

Hi,

I atleast find it a bit missleading when the Correct Answers marked in the discussion actually have nothing to do with the actual solution to the problem.

Usually you would mark the replys that answer your question/solve your problem with the "Correct Answer" which in this case would have been some earlier replys of Julio or Jumora probably. That is if you got everything working?

- Jouni

gtorresjr77 · ‎11-06-2013

So the issue came up again where i cannot access the ftp server 172.20.10.5 on DMZ from 10.20.10.0 network. It was working, then moved equipment and did not come up again once powere back on. Outside network will only access FTP port on IP of outside interface.

interfaceinterface Ethernet0/1

nameif inside

security-level 100

ip address 10.20.10.1 255.255.255.0

!

interface Ethernet0/1.3

vlan 3

nameif inside3

security-level 50

ip address 10.40.20.1 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 172.20.10.1 255.255.255.0

!

boot system disk0:/asa821-k8.bin

ftp mode passive

object-group network inside-subnet

network-object 10.20.10.0 255.255.255.0

object-group network FTPServer

network-object 172.20.10.5 255.255.255.255

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object icmp timestamp-reply

object-group service DM_INLINE_SERVICE_2

service-object icmp

service-object icmp echo-reply

access-list outside_access_in extended permit tcp any object-group FTPServer eq

ftp

access-list outside_access_in extended permit icmp any 10.20.10.0 255.255.255.0

echo-reply

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_2 17

2.20.10.0 255.255.255.0 10.20.10.0 255.255.255.0

global (outside) 1

nat (inside) 1 10.20.10.0 255.255.255.0

nat (inside3) 1 10.40.20.0 255.255.255.0

nat (dmz) 1 172.20.10.0 255.255.255.0

static (dmz,outside) tcp interface ftp 172.20.10.5 ftp netmask 255.255.255.255

static (dmz,inside) 172.20.10.5 172.20.10.5 netmask 255.255.255.255

static (inside,dmz) 10.20.10.0 10.20.10.0 netmask 255.255.255.0

access-group outside_access_in in interface outside

jumora · ‎11-06-2013

Quick question... The switch, is it a layer 3 device, meaning, is it routing traffic and do these two VLANs have interfaces configured on the switch.

Value our effort and rate the assistance!

gtorresjr77 · ‎11-06-2013

routing is turned off on the switch. I have the FTP Tera station plugged into port 43 and ASA eth0/2 plugged into port 44

!

interface GigabitEthernet0/43

switchport access vlan 4

switchport mode access

!

interface GigabitEthernet0/44

switchport access vlan 4

switchport mode access

!

interface GigabitEthernet0/45

!

interface GigabitEthernet0/46

!

interface GigabitEthernet0/47

!

interface GigabitEthernet0/48

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1,3

switchport mode trunk

!

interface GigabitEthernet0/49

!

interface GigabitEthernet0/50

!

interface GigabitEthernet0/51

!

interface GigabitEthernet0/52

!

interface Vlan1

ip address 10.20.10.254 255.255.255.0

no ip route-cache

!

interface Vlan2

description Voice Vlan

no ip address

no ip route-cache

!

interface Vlan3

description Guest Vlan

ip address 10.40.20.2 255.255.255.0

no ip route-cache

!

interface Vlan4

description DMZ Vlan

ip address 172.20.10.2 255.255.255.0

no ip route-cache

jumora · ‎11-06-2013

Please run show ip route on the switch

Value our effort and rate the assistance!

gtorresjr77 · ‎11-06-2013

OCSW1#show ip route

Default gateway is not set

Host Gateway Last Use Total Uses Interface

ICMP redirect cache is empty

jumora · ‎11-06-2013

How are you trying to access the server, via IP or via domain??

Change the next and it should start working:

interface Ethernet0/2

nameif dmz

security-level 49

global (dmz) 1 interface

Value our effort and rate the assistance!

gtorresjr77 · ‎11-06-2013

IP,

still no luck.

jumora · ‎11-06-2013

Where is Ethernet0/2 of the ASA connected to the switch???

Value our effort and rate the assistance!

gtorresjr77 · ‎11-06-2013

port 44

gtorresjr77 · ‎11-06-2013

Seems like i can't even access FTP remotely either. tried to telnet to 173.220.176.250 23

jumora · ‎11-06-2013

enable

config t

logging on

logging buffered debugging

logging buffer-size 1048576

clear log buffer

Afer you set this up and run a test with the host that you are attempting to connect to the ftp run a show log with the IP address of the PC from where you are testing from.

Example:

show log | in 10.20.10.X

Value our effort and rate the assistance!

jumora · ‎11-06-2013

You can't do that, you can do "telnet 173.220.176.250 21" or "ftp 173.220.176.250"

Value our effort and rate the assistance!

gtorresjr77 · ‎11-06-2013

i am trying this from an external IP outside the network, not internally. FTP isn't working from outside and can't browse to it internally.

: (