Do you have public IPs

astutemed · ‎11-20-2014

I can't seem to get my firewall to allow ftp traffic to my dmz server. I want to be able to have ftp traffic hitting our outside IP address forward to our DMZ ftp server

Access rule in DMZ; set to Source (external IP) destination (dmz server) service (ftp)

when I packet trace i get:

nat (DMZ) 0 0.0.0.0 0.0.0.0
nat-control
match ip DMZ any outside any
no translation group, implicit deny

NAT rules are as follos

DMZ

static - source (DMZ server) interface (outside) Address (External IP)

I also added and outside NAT rule

static source (external IP) interface (DMZ) Address (DMZ server)

Ejaz Ahmed · ‎11-20-2014

Hi,

Which ASA software version is in running in your firewall?

If you want the ftp traffic, which initiate from external network, redirect to FTP server, configure the below commands:

(ASA 8.2 & earlier version)

1. Create static PAT

static (DMZ,outside) tcp interface ftp <DMZ server ip> ftp netmask <netmask>

2. Create an ACl to allow ftp from external network

access-list outside_inside extended permit tcp any any eq ftp (If you know the source address, you can mention the same here instead of 'any'. That is more secure)

3. Bind the acl in the outside interface with 'in' direction

access-group outside_inside in interface outside

Regards

Ejaz

Vibhor Amrodia · ‎11-21-2014

Hi,

In Addition , you might also want to check for the FTP inspection based on which mode you are using ?

For Active , you would need inspection as per your setup.

Thanks and Regards,

Vibhor Amrodia

astutemed · ‎11-21-2014

Running ASDM 6.4

ran the above lines which makes sense however I'm getting dropped at the implied access rule

even though the rule allows outside access any to inside via ftp service

@Vibhor I see under Object that there are 'Inspect Maps' however they weren't set. I ad one for ftp set to low but it still is dropping at the access rule

Vibhor Amrodia · ‎11-22-2014

Hi,

Can you give me the output of the packet tracer with the IP address information.

Thanks and Regards,,

Vibhor Amrodia

astutemed · ‎12-01-2014

Config

nat (DMZ) 1 10.0.0.0 255.255.255.0
nat-control
match ip DMZ 10.0.0.0 255.255.255.0 outside any
dynamic translation to pool 1 (184.188.XX.XX [Interface PAT])
translate_hits = 0, untranslate_hits =

NAT Rule : Source is internal DMZ. ENGftp is external IP provided by isp

outside (incoming rule)

any , any for ftp

Marius Gunnerud · ‎12-02-2014

You could also run a packet capture between the outside and inside interfaces. If you see the pack enter the outside interface, leave the inside interface, but you never see the return packet then you should check the server settings and the network between the ASA and the server for issues.

Refer to the following link for instruction on running a packet capture:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html

Also, I noticed in your original post that you have a NAT 0 statement matching all traffic from the DMZ. Is there a reason for this?

nat (DMZ) 0 0.0.0.0 0.0.0.0

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

astutemed · ‎12-12-2014

to be honest I couldn't tell you about the NAt dmz. This was already configured and there weren't any notes as to why

Marius Gunnerud · ‎12-13-2014

Do you have public IPs configured in your DMZ? The reason I ask is because NAT 0 will be matched first. So, If you have public IPs configured in your DMZ you will be ok. But if you have private IPs then you would run into problems.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

ASDM 6.4 NAT failure