Re: FTP and HTTP access using PPPoE on ASA 5505

jill.kane · ‎02-24-2011

I am having an issue trying to configure my ASA 5505. It is setup using PPPoE. What I want to do is this:

I have one of my IP addresses (99.23.119.78) setup for ftp using the ftp protocol to our internal IP address 192.168.1.3. What I need is to also allow for HTTP access but not just that, I need it to forward the http port to port 9000 because the web interface requires port 9000 for customer access. Previously on our old firewall customers were able to access the web interface by browsing to http://www.fileshare.3eos.com:9000. I would like to not have to not require the port in the URL.

In addition, I would like to be able to setup a different IP address in our range (99.23.119.73) to be setup for http access using the standard port 80 for the same internal IP address (192.168.1.3). This URL will allow us to access the administration web interface for the FTP server.

Can anyone help me?

Here is my current config:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password qVQaNBP31RadYDLM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif ATT
security-level 0
pppoe client vpdn group ATT
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
access-list ATT_access_in extended permit tcp any host 99.23.119.78 object-group DM_INLINE_TCP_1
access-list ATT_access_in extended permit tcp any interface ATT eq ftp
access-list ATT_access_in extended permit tcp any interface ATT eq ftp-data
access-list 100 extended permit tcp any interface ATT eq ftp
access-list 100 extended permit tcp any interface ATT eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq www
access-list extended extended permit tcp any host 192.168.1.3 eq ftp
access-list extended extended permit tcp any host 192.168.1.3 eq ftp-data
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu ATT 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (ATT) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,ATT) interface 192.168.1.3 netmask 255.255.255.255
access-group ATT_access_in in interface ATT
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 ATT
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group ATT request dialout pppoe
vpdn group ATT localname eossolutions@static.att.net
vpdn group ATT ppp authentication pap
vpdn username eossolutions@static.att.net password ********* store-local
dhcpd auto_config ATT
!
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8cb524a17e7417a6d17d6f1fa28be90b
: end

Federico Coto Fajardo · ‎02-24-2011

Hi,

I think this is what you need:

For FTP and HTTP:

static (in,out) tcp 99.23.119.78 ftp 192.168.1.3 ftp

static (in,out) tcp 99.23.119.78 http 192.168.1.3 9000

Or if the public IP is the actual interface IP of the ASA:

static (in,out) tcp interface ftp 192.168.1.3 ftp

static (in,out) tcp interface http 192.168.1.3 9000

For web traffic:

static (in,out) tcp 99.23.119.73 http 192.168.1.3 http

You should allow the ports on the ACL that is applied to the outside interface.

Hope it helps.

Federico.

jill.kane · ‎02-24-2011

I ran the command static (inside,ATT) tcp interface http 192.168.1.3 9000 and I am still unable to get to the web interface http://99.23.119.78.

Any other ideas?

Here's my udated config:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password qVQaNBP31RadYDLM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif ATT
security-level 0
pppoe client vpdn group ATT
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
access-list ATT_access_in extended permit tcp any host 99.23.119.78 object-group DM_INLINE_TCP_1
access-list ATT_access_in extended permit tcp any interface ATT eq ftp
access-list ATT_access_in extended permit tcp any interface ATT eq ftp-data
access-list ATT_access_in extended permit tcp any interface ATT eq www
access-list 100 extended permit tcp any interface ATT eq ftp
access-list 100 extended permit tcp any interface ATT eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq www
access-list extended extended permit tcp any host 192.168.1.3 eq ftp
access-list extended extended permit tcp any host 192.168.1.3 eq ftp-data
access-list extended extended permit tcp any host 192.168.1.3 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu ATT 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (ATT) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,ATT) tcp interface www 192.168.1.3 9000 netmask 255.255.255.255
static (inside,ATT) tcp 99.23.119.73 www 192.168.1.3 www netmask 255.255.255.255
access-group ATT_access_in in interface ATT
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 ATT
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 ATT
ssh timeout 5
console timeout 0
vpdn group ATT request dialout pppoe
vpdn group ATT localname eossolutions@static.att.net
vpdn group ATT ppp authentication pap
vpdn username eossolutions@static.att.net password ********* store-local
dhcpd auto_config ATT
!
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7853eba819b95acc0d48be15849ff3e2
: end

jill.kane · ‎02-24-2011

Well apparently it is working, I just can not access it inside the network with the external ip address. I can access it only with the local ip address.

How do I get it so that I can access the http and ftp via the public ip address from within the network? I should be able to use http://99.23.119.78 while connected behind our firewall and reach the server. What do I need to do?

You help is greatly appreciated!!!

Federico Coto Fajardo · ‎02-24-2011

Jill,

If you're inside the ASA you need to access the service with the inside IP.

If you're outside you can access the service with the outside IP.

Is the above working correctly?

Federico.