11-20-2014 10:09 AM - edited 03-11-2019 10:06 PM
I can't seem to get my firewall to allow ftp traffic to my dmz server. I want to be able to have ftp traffic hitting our outside IP address forward to our DMZ ftp server
Access rule in DMZ; set to Source (external IP) destination (dmz server) service (ftp)
when I packet trace i get:
|
NAT rules are as follos
DMZ
static - source (DMZ server) interface (outside) Address (External IP)
I also added and outside NAT rule
static source (external IP) interface (DMZ) Address (DMZ server)
11-20-2014 09:40 PM
Hi,
Which ASA software version is in running in your firewall?
If you want the ftp traffic, which initiate from external network, redirect to FTP server, configure the below commands:
(ASA 8.2 & earlier version)
1. Create static PAT
static (DMZ,outside) tcp interface ftp <DMZ server ip> ftp netmask <netmask>
2. Create an ACl to allow ftp from external network
access-list outside_inside extended permit tcp any any eq ftp (If you know the source address, you can mention the same here instead of 'any'. That is more secure)
3. Bind the acl in the outside interface with 'in' direction
access-group outside_inside in interface outside
Regards
Ejaz
11-21-2014 04:31 AM
Hi,
In Addition , you might also want to check for the FTP inspection based on which mode you are using ?
For Active , you would need inspection as per your setup.
Thanks and Regards,
Vibhor Amrodia
11-21-2014 03:43 PM
Running ASDM 6.4
ran the above lines which makes sense however I'm getting dropped at the implied access rule
even though the rule allows outside access any to inside via ftp service
@Vibhor I see under Object that there are 'Inspect Maps' however they weren't set. I ad one for ftp set to low but it still is dropping at the access rule
11-22-2014 01:21 AM
Hi,
Can you give me the output of the packet tracer with the IP address information.
Thanks and Regards,,
Vibhor Amrodia
12-01-2014 01:54 PM
|
NAT Rule : Source is internal DMZ. ENGftp is external IP provided by isp
outside (incoming rule)
any , any for ftp
12-02-2014 12:31 AM
You could also run a packet capture between the outside and inside interfaces. If you see the pack enter the outside interface, leave the inside interface, but you never see the return packet then you should check the server settings and the network between the ASA and the server for issues.
Refer to the following link for instruction on running a packet capture:
Also, I noticed in your original post that you have a NAT 0 statement matching all traffic from the DMZ. Is there a reason for this?
nat (DMZ) 0 0.0.0.0 0.0.0.0
--
Please remember to select a correct answer and rate helpful posts
12-12-2014 01:12 PM
to be honest I couldn't tell you about the NAt dmz. This was already configured and there weren't any notes as to why
12-13-2014 04:02 PM
Do you have public IPs configured in your DMZ? The reason I ask is because NAT 0 will be matched first. So, If you have public IPs configured in your DMZ you will be ok. But if you have private IPs then you would run into problems.
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide