cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1140
Views
0
Helpful
5
Replies

ASA DMZ configuration issue

Sharkey13
Level 1
Level 1

Good afternoon experts - I am in need of a quick resolution to what I am sure is a fairly standard configuration issue.

Description:  we need to configure a DMZ on an ASA for an FTP server with a public IP address.  Outside partners need to send files to this FTP server.  We then need to have these files transferred internally to a file server.

Problem:  outside partners are able to send the files to the FTP server in the DMZ, but we cannot retrieve them from the internal file server through the ASA.

Relevant configuration:

interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 205.x.y.z 255.255.255.248
!
interface GigabitEthernet0/1
nameif INSIDE (IP address of internal file server is 192.168.x.x)
security-level 100
ip address 10.x.x.x 255.255.255.0
!
interface GigabitEthernet0/2
description DMZ IP (IP address of FTP server 198.d.e.25)
nameif DMZ
security-level 50
ip address 198.d.e.30 255.255.255.248
!

NAT contains this:

nat (INSIDE) 0 access-list NO-NAT

access-list NO-NAT line 153 extended permit ip host 192.168.x.x host 198.d.e.25
nat (DMZ) 0 access-list NO-NAT-DMZ
access-list NO-NAT-DMZ line 1 remark Allow traffic from SFTP server to Corp-Server
access-list NO-NAT-DMZ line 2 extended permit ip host 198.d.e.25 host 192.168.x.x

There are no access-group rules applied to INSIDE or DMZ interfaces.

What is missing, or misconfigured?  Your input is greatly appreciated.

Thanks, Patrick

5 Replies 5

Many many ways to do it.

But for example if you need from the internal network to reach the DMZ, can try this:

nat (inside) 1 10.x.x.x. 255.255.255.0

global (DMZ) 1 interface

Federico.

Federico - thanks for the reply, but I have one question - why would I want the "nat (inside) 1 10.x.x.x. " command to reference the 10.x.x.x - the IP address of the interface, and not the internal file server?

Thanks, Patrick

If you need to access the FTP server (on the DMZ) from the inside network, that's what you need (we can restrict it to be from a single server).

If on the other hand, you need the FTP server to initiate a connection to the inside server, then you will need a static NAT and an ACL.

Federico.

In addition to the static/global commands and access-list.

You need a Security Plus License to do this. The Base license only allow two regular zones (inside, outside) and och restricted zone(dmz) which ONLY can communicate to a zone with lower security level(outside). Run show ver command and check the license.

// Roger

Sharkey13
Level 1
Level 1

Federico, Roger - thanks for the replies.

Turns out there was an issue with the FTP authentication, not a DMZ config issue.

ASA DMZ config worked as posted.

Thanks again.  Patrick

Review Cisco Networking for a $25 gift card