Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1139
Views
0
Helpful
5
Replies

ASA DMZ configuration issue

Sharkey13
Level 1
Level 1

‎09-17-2010 11:41 AM - edited ‎03-11-2019 11:41 AM

Good afternoon experts - I am in need of a quick resolution to what I am sure is a fairly standard configuration issue.

Description:  we need to configure a DMZ on an ASA for an FTP server with a public IP address.  Outside partners need to send files to this FTP server.  We then need to have these files transferred internally to a file server.

Problem:  outside partners are able to send the files to the FTP server in the DMZ, but we cannot retrieve them from the internal file server through the ASA.

Relevant configuration:

interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 205.x.y.z 255.255.255.248
!
interface GigabitEthernet0/1
nameif INSIDE (IP address of internal file server is 192.168.x.x)
security-level 100
ip address 10.x.x.x 255.255.255.0
!
interface GigabitEthernet0/2
description DMZ IP (IP address of FTP server 198.d.e.25)
nameif DMZ
security-level 50
ip address 198.d.e.30 255.255.255.248
!

NAT contains this:

nat (INSIDE) 0 access-list NO-NAT

access-list NO-NAT line 153 extended permit ip host 192.168.x.x host 198.d.e.25
nat (DMZ) 0 access-list NO-NAT-DMZ
access-list NO-NAT-DMZ line 1 remark Allow traffic from SFTP server to Corp-Server
access-list NO-NAT-DMZ line 2 extended permit ip host 198.d.e.25 host 192.168.x.x

There are no access-group rules applied to INSIDE or DMZ interfaces.

What is missing, or misconfigured?  Your input is greatly appreciated.

Thanks, Patrick

Labels:
0 Helpful
5 Replies 5

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎09-17-2010 12:01 PM

Many many ways to do it.

But for example if you need from the internal network to reach the DMZ, can try this:

nat (inside) 1 10.x.x.x. 255.255.255.0

global (DMZ) 1 interface

Federico.

0 Helpful

Sharkey13
Level 1
Level 1
In response to Federico Coto Fajardo

‎09-17-2010 12:36 PM

Federico - thanks for the reply, but I have one question - why would I want the "nat (inside) 1 10.x.x.x. " command to reference the 10.x.x.x - the IP address of the interface, and not the internal file server?

Thanks, Patrick

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Sharkey13

‎09-17-2010 12:47 PM

If you need to access the FTP server (on the DMZ) from the inside network, that's what you need (we can restrict it to be from a single server).

If on the other hand, you need the FTP server to initiate a connection to the inside server, then you will need a static NAT and an ACL.

Federico.

0 Helpful

roger-jonsson
Level 1
Level 1
In response to Federico Coto Fajardo

‎09-17-2010 02:01 PM

In addition to the static/global commands and access-list.

You need a Security Plus License to do this. The Base license only allow two regular zones (inside, outside) and och restricted zone(dmz) which ONLY can communicate to a zone with lower security level(outside). Run show ver command and check the license.

// Roger

0 Helpful

Sharkey13
Level 1
Level 1

‎09-17-2010 02:17 PM

Federico, Roger - thanks for the replies.

Turns out there was an issue with the FTP authentication, not a DMZ config issue.

ASA DMZ config worked as posted.

Thanks again.  Patrick

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card