- Cisco Community
- Technology and Support
- Security
- Network Security
- Firewall ASA Blocking ftp session
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2011 04:24 AM - edited 03-11-2019 01:58 PM
Dear Support,
I have a strange issue, since yesterday, my Cisco ASA not alloed ftp session.
when i tried a ftp on a server, i have this error message from my server.
C:\>ftp 10.3.1.18
> ftp: connect :Numéro d'erreur inconnu
c:\>
the server 10.3.1.18 is behind the firewall in my DMZ.
whith the packet tracer, the result is allowed.
Regards
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2011 04:31 AM
Hi Zain,
Could you provide the configuration from the firewall?? we might need to take captures as well to isolate if its an issue with the ASA or the FTP server. Moreover can u tell me if you are usind active ftp or passive ftp??
Thanks,
Varun
Varun Rao
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2011 11:31 AM
Hi Zain,
I have gone through the error messages and you are trying to access the FTP server on the DmzInterface from a laptop on the LanInterface but you do not have any static command for it, the only command taht you ahve is for DMA to WAN interface:
static (DmzInterface,WanInterface) tcp PublicIP_DMZFtpServer ftp-data DMZFtpServer ftp-data netmask 255.255.255.255
static (DmzInterface,WanInterface) tcp PublicIP_DMZFtpServer ftp DMZFtpServer ftp netmask 255.255.255.255
You do not have any statement for DMZ to LAN interface, was it working fine earlier??????
I woudl suggest you to add the following nats:
static (DmzInterface,LanInterface) tcp PublicIP_DMZFtpServer ftp-data DMZFtpServer ftp-data netmask 255.255.255.255
static (DmzInterface,LanInterface) tcp PublicIP_DMZFtpServer ftp DMZFtpServer ftp netmask 255.255.255.255
Try it and let me know.
Thanks,
Varun
Varun Rao
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2011 04:31 AM
Hi Zain,
Could you provide the configuration from the firewall?? we might need to take captures as well to isolate if its an issue with the ASA or the FTP server. Moreover can u tell me if you are usind active ftp or passive ftp??
Thanks,
Varun
Varun Rao
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2011 04:44 AM
Dear Varun,
the ftp mode is here
ga-asa-fw01# sh run ftp
ftp mode passive
ga-asa-fw01# ga-asa-fw01# sh run ftp
ftp mode passive
ga-asa-fw01#
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2011 04:56 AM
Hi Zain,
Thanks for the information, although this is not the right information that we need, this mode is the the mode for tftp from or to the firewall, not for connection going through the firewall. I would request you to provide me the running-config from your firewall so that I can take a look at it and suggest you the correct capture commands to identify the cause. Also do you get anything on the ASA logs when the connection is denied???
Varun
Varun Rao
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2011 05:17 AM
Dear Varun,
Find my configuration
: Saved
: Written by enable_15 at 13:05:32.389 CA Wed Jul 13 2011
!
ASA Version 8.2(2)
!
hostname ga-asa-fw01
domain-name ga.airtel.com
enable password v6SfSHGPNOg9Rn4j encrypted
passwd 0lvchVuN4vCKANGn encrypted
names
name 10.3.4.0 Vlan10
name 192.168.12.0 Vlan12 description Users Vlan 12
name 10.3.4.15 LAN_DNS1
name 10.3.4.16 LAN_DNS2
name 217.113.64.1 PUBLIC_DNS1
name 217.113.64.2 PUBLIC_DNS2
name 213.208.241.41 HQSigosServer1
name 213.208.241.42 HQSigosServer2
name 213.208.241.43 HQSigosServer3
name 217.113.76.131 PublicIP_DMZIcsServer description ICS Public IP
name 10.3.1.17 DMZIcsServer description DMZ ICS Server
name 10.3.1.0 DMZNetwork description DMZ Network
name 10.3.1.18 DMZFtpServer description DMZ FTP Server
name 192.168.1.160 M-Commerce_160
name 192.168.1.188 M-Commerce_188
name 192.168.1.191 M-Commerce_191
name 192.168.1.193 M-Commerce_193
dns-guard
!
interface GigabitEthernet0/0
nameif WanInterface
security-level 0
ip address 10.10.10.10 255.255.255.224
ospf cost 10
!
interface GigabitEthernet0/1
speed 1000
duplex full
nameif LanInterface
security-level 100
ip address 10.3.4.2 255.255.252.0
ospf cost 10
!
interface GigabitEthernet0/2
speed 1000
duplex full
nameif DmzInterface
security-level 50
ip address 10.3.1.1 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone CA 1
dns domain-lookup WanInterface
dns domain-lookup LanInterface
dns domain-lookup DmzInterface
dns domain-lookup management
dns server-group DefaultDNS
name-server LAN_DNS1
name-server LAN_DNS2
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network LanNetworks
network-object Vlan13 255.255.255.0
network-object OfficeLANWifi 255.255.255.0
network-object Vlan10 255.255.252.0
network-object Vlan11 255.255.255.0
network-object host Consultant_Ericsson
network-object host consultant2_ERICSSON
network-object host Consultant4_Africa
network-object host Consultant3_ERICSSON
network-object host Consultant-ERICSSON
network-object Vlan14 255.255.255.0
network-object host Machine_Charly
network-object Vlan12 255.255.255.0
network-object DG-HOME 255.255.255.0
object-group service WEB_SERVICES
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object tcp eq www
group-object web_sg
group-object vpn_sg
group-object messengers_sg
service-object tcp-udp eq 593
service-object tcp-udp eq 6001
service-object tcp-udp eq 6002
service-object tcp-udp eq 6004
service-object tcp-udp eq 7870
service-object tcp eq ssh
service-object tcp eq 8
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object tcp eq 3101
service-object tcp eq https
service-object tcp eq 9450
service-object udp eq 8889
service-object tcp eq 8181
object-group service dns_sg tcp-udp
port-object eq domain
object-group service ftp_sg tcp
port-object eq ftp
port-object eq ftp-data
object-group service ftp-http-ssh_sg tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service mssql_resolver_tcp tcp
port-object eq 1434
object-group service mssql_resolver_udp udp
port-object eq 1434
object-group service mssql_tcp tcp
port-object eq 1433
object-group service mssql_udp udp
port-object eq 1433
object-group service african1_tcp tcp
port-object eq 8030
object-group service erc_mgw_sg tcp
port-object eq 5001
object-group service mvoucher_tcp tcp
port-object eq 1024
object-group service rdc_tcp tcp
port-object eq 3389
object-group service http-https_sg tcp
port-object eq www
port-object eq https
access-list LanInterface_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group TechMahindra any
access-list LanInterface_access_in remark FULL ACCESS
access-list LanInterface_access_in extended permit ip object-group DM_INLINE_NETWORK_2 any
access-list LanInterface_access_in extended permit object-group WEB_SERVICES object-group LanNetworks any
access-list LanInterface_access_in remark Internal Local DNS to Public ISP DNS
access-list LanInterface_access_in extended permit object-group DNS_SERVICES object-group LAN_DNS object-group PUBLIC_DNS_ISP
access-list LanInterface_access_in extended permit ip object-group DM_INLINE_NETWORK_5 any
access-list LanInterface_access_in extended permit ip object-group LanNetworks DMZNetwork 255.255.255.0
access-list LanInterface_access_in extended permit object-group EDCH_FTP object-group EMM_GRP_EDCH object-group DM_INLINE_NETWORK_3
access-list LanInterface_access_in remark OfficeLANSigosBox any
access-list LanInterface_access_in extended permit ip host OfficeLANSigosBox object-group HQSigosServerGroup
access-list LanInterface_access_in remark LanPlanet_to_HQPlanetEVServers
access-list LanInterface_access_in extended permit ip host LAN_Planet_EV object-group HQPlanetEVServersGroup
access-list LanInterface_access_in extended permit ip MPBN_NETWORK 255.255.0.0 DMZNetwork 255.255.255.0
access-list LanInterface_access_in extended permit ip object-group RA-GABON object-group RA-AMSTERDAM
access-list LanInterface_access_in extended permit ip Vlan10 255.255.252.0 HQ_NETWORK 255.255.254.0
access-list LanInterface_access_in extended permit ip object-group M-Commerce_Grp object-group Oberthur_Net
access-list LanInterface_access_in extended permit ip host ZAIN_SERVER_VPN_BGFI host BGFI_SERVER_VPN
access-list LanInterface_access_in extended permit ip object-group COMVIVA-LOCAL-GROUP object-group COMVIVA-REMOTE
access-list LanInterface_access_in extended permit ip object-group PUSHMAIL-GABON object-group PUSHMAIL-AMS
access-list LanInterface_access_in extended permit ip object-group NEW-GABON object-group NEW-AMSTERDAM
access-list LanInterface_access_in extended permit ip host COMVIVA_SMSC_26 object-group NIGERIA-GROUP-VPN
access-list LanInterface_access_in extended permit ip host PPSMAIN host MACH-FTP-SERVER
access-list DmzInterface_access_in extended permit ip DMZNetwork 255.255.255.0 any
access-list WanInterface_access_in remark UniverseSMTP_to_GatewaySMTPServer & OutlookWebAccess
access-list WanInterface_access_in extended permit tcp any host MailPublic object-group owa_sg
access-list WanInterface_access_in remark Universe_to_DMZFtpServer
access-list WanInterface_access_in extended permit tcp any host PublicIP_DMZFtpServer object-group ftp_sg
access-list WanInterface_access_in remark Universe_to_DMZIcsServer
access-list WanInterface_access_in extended permit ip object-group HQSigosServerGroup host PublicIP_DMZIcsServer
access-list WanInterface_access_in remark Universe to Citrix
access-list WanInterface_access_in extended permit tcp any host PublicIP_DMZIcsServer object-group DM_INLINE_TCP_3
access-list WanInterface_access_in extended permit tcp any object-group ASTELLIA_GROUP_SERVERS object-group DM_INLINE_TCP_6
access-list WanInterface_access_in extended permit object-group OTA_SERVICES host Client_OTA host PublicIP_DMZFtpServer
access-list WanInterface_access_in extended permit object-group EDCH_FTP host EDCH_SERVER_VPN object-group EMM_GRP_EDCH
access-list WanInterface_access_in extended permit ip object-group Oberthur_Net object-group M-Commerce_Grp
access-list WanInterface_access_in extended permit object-group Monitoring host ROUTER_ISP interface WanInterface
access-list WanInterface_access_in extended permit ip host BGFI_SERVER_VPN host ZAIN_SERVER_VPN_BGFI
access-list WanInterface_access_in extended permit ip object-group COMVIVA-REMOTE object-group COMVIVA-LOCAL-GROUP
access-list WanInterface_access_in extended permit ip host MACH-FTP-SERVER host PPSMAIN
access-list LanInterface_nat0_outbound extended permit ip host PPSMAIN host EDCH_SERVER_VPN
access-list LanInterface_nat0_outbound extended permit ip object-group RA-GABON object-group RA-AMSTERDAM
access-list LanInterface_nat0_outbound extended permit ip Vlan10 255.255.252.0 HQ_NETWORK 255.255.254.0
access-list LanInterface_nat0_outbound extended permit ip MPBN_NETWORK 255.255.0.0 DMZNetwork 255.255.255.0
access-list LanInterface_nat0_outbound extended permit ip object-group M-Commerce_Grp object-group Oberthur_Net
access-list LanInterface_nat0_outbound extended permit ip object-group MASIYA_GROUP 192.168.4.0 255.255.255.0
access-list LanInterface_nat0_outbound extended permit ip object-group GroupLocal_VPN 192.168.6.0 255.255.255.0
access-list LanInterface_nat0_outbound extended permit ip Vlan10 255.255.252.0 DMZNetwork 255.255.255.0
access-list LanInterface_nat0_outbound extended permit ip host ZAIN_SERVER_VPN_BGFI host BGFI_SERVER_VPN
access-list LanInterface_nat0_outbound extended permit ip object-group COMVIVA-LOCAL-GROUP object-group COMVIVA-REMOTE
access-list LanInterface_nat0_outbound extended permit ip Vlan10 255.255.252.0 ROAMWARE_VPN_NETWORK 255.255.248.0
access-list LanInterface_nat0_outbound extended permit ip object-group NEW-GABON object-group NEW-AMSTERDAM
access-list LanInterface_nat0_outbound extended permit ip host NAT-FROM-NIGERIA object-group NIGERIA-GROUP-VPN
access-list LanInterface_nat0_outbound extended permit ip host PPSMAIN host MACH-FTP-SERVER
access-list WanInterface_2_cryptomap extended permit ip Vlan10 255.255.252.0 HQ_NETWORK 255.255.254.0
access-list WanInterface_nat0_outbound extended permit ip any any
access-list WanInterface_nat0_outbound extended permit ip any Vlan10 255.255.252.0
access-list global_mpc extended permit tcp any any object-group DM_INLINE_TCP_2
access-list WanInterface_mpc extended permit tcp any any object-group DM_INLINE_TCP_4
access-list DefaultRAGroup_splitTunnelAcl standard permit Vlan10 255.255.252.0
access-list NAT-Nigeria extended permit ip host COMVIVA_SMSC_26 object-group NIGERIA-GROUP-VPN
access-list WanInterface_1_cryptomap extended permit ip host PPSMAIN host EDCH_SERVER_VPN
access-list tcp-traffic extended permit tcp any any
access-list WanInterface_2_cryptomap_1 extended permit ip object-group M-Commerce_Grp object-group Oberthur_Net
access-list cap extended permit ip any host 192.168.158.103
access-list cap extended permit ip host 192.168.158.103 any
access-list cap extended permit ip any host 10.3.4.13
access-list cap extended permit ip host 10.3.4.13 any
access-list cap extended permit ip any host RiverBed
access-list cap extended permit ip host RiverBed any
access-list cap extended permit ip host 192.168.249.240 any
access-list WanInterface_5_cryptomap extended permit ip Vlan10 255.255.252.0 ROAMWARE_VPN_NETWORK 255.255.248.0
access-list WanInterface_6_cryptomap extended permit ip object-group NEW-GABON object-group NEW-AMSTERDAM
access-list WanInterface_7_cryptomap extended permit ip host NAT-FROM-NIGERIA object-group NIGERIA-GROUP-VPN
access-list WanInterface_8_cryptomap extended permit ip host PPSMAIN host MACH-FTP-SERVER
!
tcp-map allow-probes
tcp-options range 76 78 allow
!
pager lines 24
logging enable
logging timestamp
logging list EVENTS level errors class ip
logging monitor warnings
logging trap debugging
logging asdm informational
logging mail alerts
logging facility 16
logging class auth history emergencies
flow-export destination LanInterface SECURITYSERVER 2055
flow-export template timeout-rate 1
flow-export delay flow-create 60
mtu WanInterface 1500
mtu LanInterface 1500
mtu DmzInterface 1500
mtu management 1500
ip local pool RemoteMasiya 192.168.4.10-192.168.4.250 mask 255.255.255.0
ip local pool RemoteAirtel 192.168.6.10-192.168.6.250 mask 255.255.255.0
ip local pool ip-pool 192.168.7.10-192.168.7.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any LanInterface
icmp permit any DmzInterface
asdm image disk0:/asdm-625.bin
asdm location LTC_NETWORK 255.255.255.192 LanInterface
asdm location MPBN_MGMT 255.255.255.192 LanInterface
asdm location Server_121 255.255.255.255 LanInterface
asdm location 192.168.10.151 255.255.255.255 LanInterface
asdm location FlorisseDR 255.255.255.255 LanInterface
asdm location ROUTER_ISP 255.255.255.255 LanInterface
asdm location SECURITYSERVER 255.255.255.255 LanInterface
asdm location BGFI_SERVER_VPN 255.255.255.255 LanInterface
asdm location ZAIN_SERVER_VPN_BGFI 255.255.255.255 LanInterface
asdm location BAHRTI 255.255.255.255 LanInterface
asdm location Remote_SERVER 255.255.255.255 LanInterface
asdm location consultantMarketing 255.255.255.255 LanInterface
asdm location RiverBed 255.255.255.255 LanInterface
asdm location Public_Riverbed 255.255.255.255 LanInterface
asdm location PROXY_AFRICA 255.255.255.255 LanInterface
asdm location Consultant-ERICSSON 255.255.255.255 LanInterface
asdm location Consultant3_ERICSSON 255.255.255.255 LanInterface
asdm location Consultant4_Africa 255.255.255.255 LanInterface
asdm location DC 255.255.255.255 LanInterface
asdm location consultant2_ERICSSON 255.255.255.255 LanInterface
asdm location MOUSTINGA 255.255.255.255 LanInterface
asdm location CSR 255.255.255.0 LanInterface
asdm location CONSULTANT_IBM 255.255.255.255 LanInterface
asdm location 192.168.11.27 255.255.255.255 LanInterface
asdm location Consultant_COMVIVA 255.255.255.255 LanInterface
asdm location Consultant_Ericsson 255.255.255.255 LanInterface
asdm location Consultant_TECH-MAHINDRA 255.255.255.255 LanInterface
asdm location Consultant6_ERICSSON 255.255.255.255 LanInterface
asdm location RoamUpgrade_185 255.255.255.255 LanInterface
asdm location RoamUpgrade_186 255.255.255.255 LanInterface
asdm location RoamUpgrade_189 255.255.255.255 LanInterface
asdm location RoamUpgrade_194 255.255.255.255 LanInterface
asdm location MAMO_Server 255.255.255.255 LanInterface
asdm location CONSULTANT_DAF 255.255.255.255 LanInterface
asdm location Consultant2_COMVIVA 255.255.255.255 LanInterface
asdm location EMM_162 255.255.255.255 LanInterface
asdm location EMM_166 255.255.255.255 LanInterface
asdm location EMM_187 255.255.255.255 LanInterface
asdm location Machine_Charly 255.255.255.255 LanInterface
asdm location Call_Center_Network 255.255.255.0 LanInterface
asdm location 10.3.6.72 255.255.255.255 LanInterface
asdm location TM_Link7 255.255.255.255 LanInterface
asdm location TM_Link2 255.255.255.255 LanInterface
asdm location TM_Link4-6-8 255.255.255.255 LanInterface
asdm location TM_link1 255.255.255.255 LanInterface
asdm location TM_Link9 255.255.255.255 LanInterface
asdm location TM_Link10 255.255.255.255 LanInterface
asdm location TM_Link11 255.255.255.255 LanInterface
asdm location TM_Link12 255.255.255.255 LanInterface
asdm location TM_Link3-5 255.255.255.255 LanInterface
asdm location DG-HOME 255.255.255.0 LanInterface
asdm location ROAMWARE_VPN_NETWORK 255.255.248.0 LanInterface
asdm location 192.9.200.0 255.255.255.0 LanInterface
asdm location 192.168.246.0 255.255.254.0 LanInterface
asdm location 192.168.250.0 255.255.254.0 LanInterface
asdm location 192.168.252.0 255.255.254.0 LanInterface
asdm location 10.127.0.0 255.255.0.0 LanInterface
asdm location MACH-FTP-SERVER 255.255.255.255 LanInterface
no asdm history enable
arp timeout 14400
nat-control
global (WanInterface) 101 interface
global (WanInterface) 1 MailPublic netmask 255.0.0.0
global (WanInterface) 10 192.168.13.15 netmask 255.0.0.0
global (LanInterface) 1 interface
global (DmzInterface) 2 interface
nat (LanInterface) 0 access-list LanInterface_nat0_outbound
nat (LanInterface) 101 0.0.0.0 0.0.0.0
nat (DmzInterface) 1 DMZGatewaySMTP 255.255.255.255
nat (DmzInterface) 101 DMZNetwork 255.255.255.0
static (LanInterface,WanInterface) tcp PublicIP_DMZIcsServer 5900 OfficeLANSigosBox 5900 netmask 255.255.255.255
static (LanInterface,WanInterface) tcp PublicIP_DMZIcsServer ssh OfficeLANSigosBox ssh netmask 255.255.255.255
static (LanInterface,WanInterface) tcp PublicIP_DMZIcsServer 51500 OfficeLANSigosBox 51500 netmask 255.255.255.255
static (LanInterface,WanInterface) tcp PublicIP_DMZIcsServer 51501 OfficeLANSigosBox 51501 netmask 255.255.255.255
static (LanInterface,WanInterface) udp PublicIP_DMZIcsServer ntp OfficeLANSigosBox ntp netmask 255.255.255.255
static (LanInterface,WanInterface) tcp PublicIP_DMZIcsServer 123 OfficeLANSigosBox 123 netmask 255.255.255.255
static (LanInterface,WanInterface) tcp PublicIP_DMZIcsServer telnet OfficeLANSigosBox telnet netmask 255.255.255.255
static (LanInterface,WanInterface) tcp PublicIP_DMZIcsServer ident OfficeLANSigosBox ident netmask 255.255.255.255
static (LanInterface,WanInterface) tcp PublicIP_DMZIcsServer 51605 OfficeLANSigosBox 51605 netmask 255.255.255.255
static (LanInterface,WanInterface) tcp PublicIP_DMZIcsServer 51505 OfficeLANSigosBox 51505 netmask 255.255.255.255
static (LanInterface,WanInterface) tcp 217.113.76.152 sqlnet OPTIMA sqlnet netmask 255.255.255.255
static (LanInterface,WanInterface) tcp 217.113.76.152 ftp OPTIMA ftp netmask 255.255.255.255
static (LanInterface,WanInterface) tcp PublicIP_DMZFtpServer ssh OTA_SERVER ssh netmask 255.255.255.255
static (LanInterface,WanInterface) tcp PublicIP_DMZFtpServer 8443 OTA_SERVER 8443 netmask 255.255.255.255
static (LanInterface,WanInterface) tcp PublicIP_DMZFtpServer 8080 OTA_SERVER 8080 netmask 255.255.255.255
static (LanInterface,WanInterface) tcp MailPublic www OfficeLANExFrontEndServer www netmask 255.255.255.255
static (LanInterface,WanInterface) tcp MailPublic https OfficeLANExFrontEndServer https netmask 255.255.255.255
static (LanInterface,WanInterface) tcp Public_Astellia_136 ftp ASTELLIA_TA115 ftp netmask 255.255.255.255
static (LanInterface,WanInterface) tcp Public_Astellia_136 www ASTELLIA_TA115 www netmask 255.255.255.255
static (LanInterface,WanInterface) tcp Public_Astellia_137 www ASTELLIA_TA116 www netmask 255.255.255.255
static (LanInterface,WanInterface) tcp Public_Astellia_137 ftp ASTELLIA_TA116 ftp netmask 255.255.255.255
static (LanInterface,WanInterface) tcp Public_Astellia_138 www ASTELLIA_TA117 www netmask 255.255.255.255
static (LanInterface,WanInterface) tcp Public_Astellia_138 ftp ASTELLIA_TA117 ftp netmask 255.255.255.255
static (DmzInterface,WanInterface) tcp MailPublic smtp DMZGatewaySMTP smtp netmask 255.255.255.255
static (DmzInterface,WanInterface) tcp PublicIP_DMZFtpServer ftp-data DMZFtpServer ftp-data netmask 255.255.255.255
static (DmzInterface,WanInterface) tcp PublicIP_DMZFtpServer ftp DMZFtpServer ftp netmask 255.255.255.255
static (DmzInterface,WanInterface) tcp PublicIP_DMZIcsServer https DMZIcsServer https netmask 255.255.255.255
static (DmzInterface,WanInterface) tcp PublicIP_DMZIcsServer www DMZIcsServer www netmask 255.255.255.255
access-group WanInterface_access_in in interface WanInterface
access-group LanInterface_access_in in interface LanInterface per-user-override
access-group DmzInterface_access_in in interface DmzInterface
route WanInterface 0.0.0.0 0.0.0.0 ROUTER_ISP 1
route LanInterface OfficeLANWifi 255.255.255.0 10.3.4.1 1
route LanInterface MPBN_NETWORK 255.255.0.0 10.3.4.93 1
route LanInterface 192.168.1.0 255.255.255.0 10.3.4.93 1
route LanInterface 192.168.3.0 255.255.255.0 10.3.4.1 1
route LanInterface Vlan8 255.255.255.0 10.3.4.1 1
route LanInterface Vlan11 255.255.255.0 10.3.4.1 1
route LanInterface Vlan12 255.255.255.0 10.3.4.1 1
route LanInterface Vlan13 255.255.255.0 10.3.4.1 1
route LanInterface Vlan14 255.255.255.0 10.3.4.1 1
route LanInterface DV_Network 255.255.255.0 10.3.4.1 1
route LanInterface PK8_Network 255.255.255.0 10.3.7.100 1
route LanInterface 192.168.140.0 255.255.255.0 10.3.4.1 1
route LanInterface 192.168.150.0 255.255.255.0 10.3.4.1 1
route WanInterface 192.168.158.103 255.255.255.255 ROUTER_ISP 1
route LanInterface Vlan160 255.255.255.0 10.3.4.1 1
route LanInterface Oloumi_Network 255.255.255.0 10.3.4.1 1
route LanInterface Call_Center_Network 255.255.255.0 10.3.7.100 1
route LanInterface Vlan180 255.255.255.0 10.3.4.1 1
route LanInterface 192.168.181.0 255.255.255.0 10.3.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server VPN-RADIUS protocol radius
aaa-server VPN-RADIUS (LanInterface) host SECURITYSERVER
key cisco
aaa-server VPN-RADIUS (LanInterface) host Network_Server
key cisco
aaa authentication telnet console VPN-RADIUS LOCAL
aaa authentication http console VPN-RADIUS LOCAL
aaa authentication ssh console VPN-RADIUS LOCAL
aaa authorization command LOCAL
http server enable
http Vlan10 255.255.252.0 LanInterface
http 192.168.1.0 255.255.255.0 management
http Vlan13 255.255.255.0 LanInterface
http Vlan14 255.255.255.0 LanInterface
snmp-server host LanInterface Roland_laptop community TexasAdmin version 2c udp-port 161
snmp-server host LanInterface SECURITYSERVER community TexasAdmin version 2c
snmp-server host LanInterface 10.3.6.27 community TexasAdmin
snmp-server location HQ
snmp-server contact IT Network
snmp-server community TexasAdmin
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
svc rekey time 30
svc rekey method ssl
svc ask none default webvpn
customization value DfltCustomization
group-policy phone-policy internal
group-policy phone-policy attributes
vpn-tunnel-protocol svc
group-policy AirtelPolicy internal
group-policy AirtelPolicy attributes
banner value WELCOME TO AIRTEL GABON VPN ACCESS
dns-server value 10.3.4.16 10.3.4.15
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Roland
class-map netflow-export-class
match access-list netflow-export
class-map global-class
match access-list global_mpc_1
class-map tcp-traffic
match access-list tcp-traffic
class-map inspection_default
match default-inspection-traffic
class-map voice
match dscp ef
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class tcp-traffic
set connection advanced-options allow-probes
class global-class
csc fail-open
class netflow-export-class
flow-export event-type all destination SECURITYSERVER
!
service-policy global_policy global
imap4s
server OfficeLANExBackEndServer
no outstanding
authorization-server-group LOCAL
default-group-policy DfltGrpPolicy
authentication piggyback
pop3s
server OfficeLANExBackEndServer
no outstanding
authorization-server-group LOCAL
default-group-policy DfltGrpPolicy
authentication piggyback
smtps
server OfficeLANExBackEndServer
no outstanding
default-group-policy DfltGrpPolicy
authentication piggyback
authorization-dn-attributes C CN
prompt hostname context
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2011 06:30 AM
Dear Varun
When i tried a ftp connexion, i have this messages
|DMZFtpServer|21|Roland_laptop|1487|Teardown TCP connection 121446 for DmzInterface:DMZFtpServer/21 to LanInterface:Roland_laptop/1487 duration 0:00:00 bytes 0 TCP Reset-O
Roland_laptop|1487|DMZFtpServer|21|Built outbound TCP connection 121446 for DmzInterface:DMZFtpServer/21 (DMZFtpServer/21) to LanInterface:Roland_laptop/1487 (Roland_laptop/1487)
DMZFtpServer|21|Roland_laptop|1487|Teardown TCP connection 121441 for DmzInterface:DMZFtpServer/21 to LanInterface:Roland_laptop/1487 duration 0:00:00 bytes 0 TCP Reset-O
|Roland_laptop|1487|DMZFtpServer|21|Built outbound TCP connection 121441 for DmzInterface:DMZFtpServer/21 (DMZFtpServer/21) to LanInterface:Roland_laptop/1487 (Roland_laptop/1487)
|DMZFtpServer|21|Roland_laptop|1487|Teardown TCP connection 121438 for DmzInterface:DMZFtpServer/21 to LanInterface:Roland_laptop/1487 duration 0:00:00 bytes 0 TCP Reset-O
Roland_laptop|1487|DMZFtpServer|21|Built outbound TCP connection 121438 for DmzInterface:DMZFtpServer/21 (DMZFtpServer/21) to LanInterface:Roland_laptop/1487 (Roland_laptop/1487)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2011 06:41 AM
Hi Zain,
I'll have a look at it, plz give me some time.
Thanks,
Varun
Varun Rao
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2011 11:31 AM
Hi Zain,
I have gone through the error messages and you are trying to access the FTP server on the DmzInterface from a laptop on the LanInterface but you do not have any static command for it, the only command taht you ahve is for DMA to WAN interface:
static (DmzInterface,WanInterface) tcp PublicIP_DMZFtpServer ftp-data DMZFtpServer ftp-data netmask 255.255.255.255
static (DmzInterface,WanInterface) tcp PublicIP_DMZFtpServer ftp DMZFtpServer ftp netmask 255.255.255.255
You do not have any statement for DMZ to LAN interface, was it working fine earlier??????
I woudl suggest you to add the following nats:
static (DmzInterface,LanInterface) tcp PublicIP_DMZFtpServer ftp-data DMZFtpServer ftp-data netmask 255.255.255.255
static (DmzInterface,LanInterface) tcp PublicIP_DMZFtpServer ftp DMZFtpServer ftp netmask 255.255.255.255
Try it and let me know.
Thanks,
Varun
Varun Rao
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2011 12:22 AM
Thnaks Varun
It's working fine now.
But before perfom your suggest, i put the ASA in factoty default then put the backup config again.
suddenly, it's working fine
Thanks a lot for your time
*
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2011 12:28 AM
votre accueil Zain !!!!!!!
Varun
Varun Rao
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
