04-16-2006 04:30 AM - edited 02-21-2020 12:50 AM
Dear all,
in one of my client site, i tried to access the ftp server hosted in USA from the internal network behind the ASA 5520. Please find below the script of the firewall.The internal ftp client is connected to the inside ISA server and the ISA server outside is connected to DMZ segment.
What do i need to know is that is there any access-list entries to be added in the ASA to make the ftp client to connect to the server that is outsde the ASA.
nat-control
global (outside) 2 interface
global (outside) 1 222.20.20.99
nat (inside) 1 172.16.16.12 255.255.255.255
nat (inside) 1 172.16.16.18 255.255.255.255
nat (inside) 1 172.16.16.200 255.255.255.255
nat (DMZ) 2 192.168.1.18 255.255.255.255
static (inside,outside) 222.20.20.100 172.16.16.18 netmask 255.255.255.255
access-group 111 in interface outside
access-list 111 extended permit tcp any host 222.20.20.100 eq smtp
access-list 111 extended permit tcp any host 222.20.20.100 eq www
access-list 111 extended permit tcp any host 222.20.20.100 eq https
access-list 111 extended permit icmp any any
note: here the address 192.168.1.18 is the address of ISA server outside interface.
04-16-2006 09:18 PM
HI
Remember, by default all traffic will traverse from High sec level to low sec level, hence all outbound traffic is fine.. but return traffic needs to be allowed..
hence your FTP initiations will go through from inside but the replies to finalise the setup of the connection will fail since there is no access-list allowing the replies..
Im guessing 222.20.20.100 is your extenal ISA.
i dont get why inside ISA is goin directly outside when you have an ISA in DMZ... i would have thought that Inside ISA will talk to Outside ISA , hence the extra ISA . as security .. which would mean u dont pat anything inside to outside.. just inside to DMZ .. and DMZ to outside..
anways..
I would recommend you try adding this
access-list 111 extended permit tcp any host 222.20.20.100 eq ftp..
but this would allow ftp accces to the outside ISA only..
if u realise . all the ACLs u added are applied only for the external ISA..
so am not sure if ur inside hosts anything will work fine unless you configure internal ISA to route to external ISA.. in which case i dont see access list for DMZ...
i guess you have your own ideas abt the ASA implementation.. i recommend you play with the ACL to allow FTP and make sure you have
Inspect FTP in your default Policy Map. make sure this is there first..
all the best
Vic
04-16-2006 09:47 PM
Hi .. You don't need to allow incoming traffic in response to an outgoing call from an higher interface as the PIX and ASA keeps track on the connection on its statefull table. Agree about the inspect portion ( fixup on Pix before version 7.0 ) has to define ftp kn order for it to work accordingly
04-16-2006 09:29 PM
is there any access-list applied to the DMZ interface ..?
04-20-2006 08:02 AM
Dear Fernando,
I am sorry for the delay in responding because I had been away on project
There is no access-list applied in DMZ.
ftp access is fine from ISA server itself but failed from inside the ISA i.e inside network access to FTP.
Could you explain once again about FIXUP command.
Thanks
swamy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide