02-27-2011 04:53 PM - edited 03-11-2019 12:57 PM
I am trying to configure our ASA 5505 so that our users can access our ftp site using http://www.fileshare.3eos.com while inside the firewall. Our ftp site is setup so that you can reach it by either browsing to the above url or by browsing to ftp://99.23.119.78 but we are unable to access our ftp site from either route while inside the firewall. We can access our ftp site using the internal ip address of 192.168.1.3.
Here is our current confguration:
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password qVQaNBP31RadYDLM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif ATT
security-level 0
pppoe client vpdn group ATT
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
access-list ATT_access_in extended permit tcp any host 99.23.119.78 object-group DM_INLINE_TCP_1
access-list ATT_access_in extended permit tcp any interface ATT eq ftp
access-list ATT_access_in extended permit tcp any interface ATT eq ftp-data
access-list ATT_access_in extended permit tcp any interface ATT eq www
access-list 100 extended permit tcp any interface ATT eq ftp
access-list 100 extended permit tcp any interface ATT eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq www
access-list extended extended permit tcp any host 192.168.1.3 eq ftp
access-list extended extended permit tcp any host 192.168.1.3 eq ftp-data
access-list extended extended permit tcp any host 192.168.1.3 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu ATT 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (ATT) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,ATT) tcp interface www 192.168.1.3 9000 netmask 255.255.255.255
static (inside,ATT) tcp 99.23.119.73 www 192.168.1.3 www netmask 255.255.255.255
access-group ATT_access_in in interface ATT
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 ATT
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 ATT
ssh timeout 5
console timeout 0
vpdn group ATT request dialout pppoe
vpdn group ATT localname eossolutions@static.att.net
vpdn group ATT ppp authentication pap
vpdn username eossolutions@static.att.net password ********* store-local
dhcpd auto_config ATT
!
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7853eba819b95acc0d48be15849ff3e2
: end
02-27-2011 05:12 PM
From inside, you will only be able to reach it by its private ip address (192.168.1.3) if you use ip address to access the FTP server.
If you use name to access the FTP server, assuming that DNS is hosted on the outside, and the DNS request for "www.fileshare.3eos.com" passes through the ASA firewall, then you can configure "DNS Doctoring" which will modify the DNS reply from the server public ip address to its private ip address as from the inside, it's only accesible via its private ip.
And in that case, you will have to add the "dns" keyword on your existing static PAT statement:
static (inside,ATT) tcp interface www 192.168.1.3 9000 netmask 255.255.255.255 dns
Once you add the "dns" keyword to the above statement, you will have to flush the DNS cache on your PC, and try to access www.fileshare.3eos.com, or do an "nslookup" from an inside PC, and you should see that it resolves to its internal ip address.
The above is true if the DNS entry for www.fileshare.3eos.com is hosted on the outside of the ASA, and the DNS query/reply passes through the ASA.
02-27-2011 05:19 PM
Thanks... that makes sense. The DNS for this is hosted outside of the ASA. I will try it tomorrow morning and let you know. I appreciate your quick response!
02-28-2011 05:54 AM
This is the result of running that command:
Result of the command: "static (inside,ATT) tcp interface www 192.168.1.3 9000 netmask 255.255.255.255 dns"
ERROR: mapped-address conflict with existing static
TCP inside:192.168.1.3/9000 to ATT:99.23.119.78/80 netmask 255.255.255.255
Any ideas?
Thanks for the help!
02-28-2011 09:17 AM
I am still unable to reach our FTP server while inside the firewall using http://www.fileshare.3eos.com. Externally it works great. I can ping that web address from internal and I receive a request timeout from the correct external ip address (99.23.119.78)... so I know it's being resolved properly.
Here is my current config:
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password qVQaNBP31RadYDLM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif ATT
security-level 0
pppoe client vpdn group ATT
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
access-list ATT_access_in remark Linkstation Access
access-list ATT_access_in extended permit tcp any host 99.23.119.78 object-group DM_INLINE_TCP_1
access-list ATT_access_in remark Linkstation FTP
access-list ATT_access_in extended permit tcp any interface ATT eq ftp
access-list ATT_access_in remark Linkstation FTP-Data
access-list ATT_access_in extended permit tcp any interface ATT eq ftp-data
access-list ATT_access_in remark Linkstation FTP HTTP Customer
access-list ATT_access_in extended permit tcp any interface ATT eq www
access-list ATT_access_in remark Linkstation Remote Admin
access-list ATT_access_in extended permit tcp any host 99.23.119.73 eq www
access-list ATT_access_in remark RealVNC
access-list ATT_access_in extended permit tcp any interface ATT eq 5510
access-list ATT_access_in extended permit tcp any host 99.23.119.78 eq 29000
access-list ATT_access_in extended permit tcp any host 99.23.119.78 eq 39000
access-list ATT_access_in extended permit tcp any host 192.168.1.4 eq 5510
access-list 100 extended permit tcp any interface ATT eq ftp
access-list 100 extended permit tcp any interface ATT eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq www
access-list 100 extended permit tcp any host 99.23.119.73 eq 5510
access-list extended extended permit tcp any host 192.168.1.3 eq ftp
access-list extended extended permit tcp any host 192.168.1.3 eq ftp-data
access-list extended extended permit tcp any host 192.168.1.3 eq www
access-list extended extended permit tcp any host 99.23.119.73 eq 5900
access-list extended extended permit tcp any host 99.23.119.73 eq 5510
access-list extended extended permit tcp any host 99.23.119.73 eq 5511
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu ATT 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (ATT) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,ATT) tcp 99.23.119.73 www 192.168.1.3 www netmask 255.255.255.255
static (inside,ATT) tcp interface 29000 192.168.1.4 29000 netmask 255.255.255.255
static (inside,ATT) tcp interface 39000 192.168.1.4 39000 netmask 255.255.255.255
static (inside,ATT) tcp interface 5510 192.168.1.4 5510 netmask 255.255.255.255
static (inside,ATT) tcp interface 5511 192.168.1.4 5511 netmask 255.255.255.255
static (inside,ATT) tcp interface 3389 192.168.1.4 3389 netmask 255.255.255.255
static (inside,ATT) tcp interface www 192.168.1.3 9000 netmask 255.255.255.255 dns
access-group ATT_access_in in interface ATT
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 ATT
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 ATT
ssh timeout 5
console timeout 0
vpdn group ATT request dialout pppoe
vpdn group ATT localname eossolutions@static.att.net
vpdn group ATT ppp authentication pap
vpdn username eossolutions@static.att.net password ********* store-local
dhcpd auto_config ATT
!
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bd6ede5c5400c2d1472282d3834f49f1
: end
02-28-2011 09:52 AM
Hi Jill/Jenn,
This question is for Jenn , is dns rewrite even compatible with static PAT ? I am asking you this because of :-
Translates the DNS record based on the configuration completed using the static and nat commands (DNS rewrite). Translation only applies to the A-record in the DNS reply. Therefore, reverse lookups, which request the PTR record, are not affected by DNS rewrite.
Note: DNS rewrite is not compatible with static Port Address Translation (PAT) because multiple PAT rules are applicable for each A-record, and the PAT rule to use is ambiguous.
Manish
03-01-2011 12:48 AM
Spot on, Manish. You are totally right!!! Static PAT does not work with DNS doctoring as the public ip address can be translated to multiple internal address with different ports.
The only option you have then Jill is to use the private ip address to connect instead of the name when you are connecting from the inside as your current setup does not allow DNS doctoring.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide