Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1351
Views
5
Helpful
6
Replies

FTP issues - Can't reach ftp site while inside firewall using external url

jill.kane
Level 1
Level 1

‎02-27-2011 04:53 PM - edited ‎03-11-2019 12:57 PM

I am trying to configure our ASA 5505 so that our users can access our ftp site using http://www.fileshare.3eos.com while inside the firewall. Our ftp site is setup so that you can reach it by either browsing to the above url or by browsing to ftp://99.23.119.78 but we are unable to access our ftp site from either route while inside the firewall. We can access our ftp site using the internal ip address of 192.168.1.3.

Here is our current confguration:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password qVQaNBP31RadYDLM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif ATT
security-level 0
pppoe client vpdn group ATT
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
access-list ATT_access_in extended permit tcp any host 99.23.119.78 object-group DM_INLINE_TCP_1
access-list ATT_access_in extended permit tcp any interface ATT eq ftp
access-list ATT_access_in extended permit tcp any interface ATT eq ftp-data
access-list ATT_access_in extended permit tcp any interface ATT eq www
access-list 100 extended permit tcp any interface ATT eq ftp
access-list 100 extended permit tcp any interface ATT eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq www
access-list extended extended permit tcp any host 192.168.1.3 eq ftp
access-list extended extended permit tcp any host 192.168.1.3 eq ftp-data
access-list extended extended permit tcp any host 192.168.1.3 eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu ATT 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (ATT) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,ATT) tcp interface www 192.168.1.3 9000 netmask 255.255.255.255
static (inside,ATT) tcp 99.23.119.73 www 192.168.1.3 www netmask 255.255.255.255
access-group ATT_access_in in interface ATT
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 ATT
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 ATT
ssh timeout 5
console timeout 0
vpdn group ATT request dialout pppoe
vpdn group ATT localname eossolutions@static.att.net
vpdn group ATT ppp authentication pap
vpdn username eossolutions@static.att.net password ********* store-local
dhcpd auto_config ATT
!
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7853eba819b95acc0d48be15849ff3e2
: end

Labels:
0 Helpful
6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

‎02-27-2011 05:12 PM

From inside, you will only be able to reach it by its private ip address (192.168.1.3) if you use ip address to access the FTP server.

If you use name to access the FTP server, assuming that DNS is hosted on the outside, and the DNS request for "www.fileshare.3eos.com" passes through the ASA firewall, then you can configure "DNS Doctoring" which will modify the DNS reply from the server public ip address to its private ip address as from the inside, it's only accesible via its private ip.

And in that case, you will have to add the "dns" keyword on your existing static PAT statement:

static (inside,ATT) tcp interface www 192.168.1.3 9000 netmask 255.255.255.255 dns

Once you add the "dns" keyword to the above statement, you will have to flush the DNS cache on your PC, and try to access www.fileshare.3eos.com, or do an "nslookup" from an inside PC, and you should see that it resolves to its internal ip address.

The above is true if the DNS entry for www.fileshare.3eos.com is hosted on the outside of the ASA, and the DNS query/reply passes through the ASA.

0 Helpful

jill.kane
Level 1
Level 1
In response to Jennifer Halim

‎02-27-2011 05:19 PM

Thanks... that makes sense. The DNS for this is hosted outside of the ASA. I will try it tomorrow morning and let you know. I appreciate your quick response!

0 Helpful

jill.kane
Level 1
Level 1
In response to Jennifer Halim

‎02-28-2011 05:54 AM

This is the result of running that command:

Result of the command: "static (inside,ATT) tcp interface www 192.168.1.3 9000 netmask 255.255.255.255 dns"

ERROR: mapped-address conflict with existing static
  TCP inside:192.168.1.3/9000 to ATT:99.23.119.78/80 netmask 255.255.255.255

Any ideas?

Thanks for the help!

0 Helpful

jill.kane
Level 1
Level 1
In response to Jennifer Halim

‎02-28-2011 09:17 AM

I am still unable to reach our FTP server while inside the firewall using http://www.fileshare.3eos.com. Externally it works great. I can ping that web address from internal and I receive a request timeout from the correct external ip address (99.23.119.78)... so I know it's being resolved properly.

Here is my current config:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password qVQaNBP31RadYDLM encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif ATT
security-level 0
pppoe client vpdn group ATT
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
access-list ATT_access_in remark Linkstation Access
access-list ATT_access_in extended permit tcp any host 99.23.119.78 object-group DM_INLINE_TCP_1
access-list ATT_access_in remark Linkstation FTP
access-list ATT_access_in extended permit tcp any interface ATT eq ftp
access-list ATT_access_in remark Linkstation FTP-Data
access-list ATT_access_in extended permit tcp any interface ATT eq ftp-data
access-list ATT_access_in remark Linkstation FTP HTTP Customer
access-list ATT_access_in extended permit tcp any interface ATT eq www
access-list ATT_access_in remark Linkstation Remote Admin
access-list ATT_access_in extended permit tcp any host 99.23.119.73 eq www
access-list ATT_access_in remark RealVNC
access-list ATT_access_in extended permit tcp any interface ATT eq 5510
access-list ATT_access_in extended permit tcp any host 99.23.119.78 eq 29000
access-list ATT_access_in extended permit tcp any host 99.23.119.78 eq 39000
access-list ATT_access_in extended permit tcp any host 192.168.1.4 eq 5510
access-list 100 extended permit tcp any interface ATT eq ftp
access-list 100 extended permit tcp any interface ATT eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp
access-list 100 extended permit tcp any host 192.168.1.3 eq ftp-data
access-list 100 extended permit tcp any host 192.168.1.3 eq www
access-list 100 extended permit tcp any host 99.23.119.73 eq 5510
access-list extended extended permit tcp any host 192.168.1.3 eq ftp
access-list extended extended permit tcp any host 192.168.1.3 eq ftp-data
access-list extended extended permit tcp any host 192.168.1.3 eq www
access-list extended extended permit tcp any host 99.23.119.73 eq 5900
access-list extended extended permit tcp any host 99.23.119.73 eq 5510
access-list extended extended permit tcp any host 99.23.119.73 eq 5511
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu ATT 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (ATT) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,ATT) tcp 99.23.119.73 www 192.168.1.3 www netmask 255.255.255.255
static (inside,ATT) tcp interface 29000 192.168.1.4 29000 netmask 255.255.255.255
static (inside,ATT) tcp interface 39000 192.168.1.4 39000 netmask 255.255.255.255
static (inside,ATT) tcp interface 5510 192.168.1.4 5510 netmask 255.255.255.255
static (inside,ATT) tcp interface 5511 192.168.1.4 5511 netmask 255.255.255.255
static (inside,ATT) tcp interface 3389 192.168.1.4 3389 netmask 255.255.255.255
static (inside,ATT) tcp interface www 192.168.1.3 9000 netmask 255.255.255.255  dns
access-group ATT_access_in in interface ATT
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 ATT
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 ATT
ssh timeout 5
console timeout 0
vpdn group ATT request dialout pppoe
vpdn group ATT localname eossolutions@static.att.net
vpdn group ATT ppp authentication pap
vpdn username eossolutions@static.att.net password ********* store-local
dhcpd auto_config ATT
!
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bd6ede5c5400c2d1472282d3834f49f1
: end

0 Helpful

manish arora
Level 6
Level 6
In response to jill.kane

‎02-28-2011 09:52 AM

Hi Jill/Jenn,

This question is for Jenn , is dns rewrite even compatible with static PAT ? I am asking you this because of :-

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml#intro

  • Translates the DNS record based on the configuration completed using the static and nat commands (DNS rewrite). Translation only applies to the A-record in the  DNS reply. Therefore, reverse lookups, which request the PTR record,  are not affected by DNS rewrite.

    Note: DNS rewrite is not compatible with static Port Address  Translation (PAT) because multiple PAT rules are applicable for each  A-record, and the PAT rule to use is ambiguous.

    Manish

    Jennifer Halim
    Cisco Employee
    Cisco Employee
    In response to manish arora

    ‎03-01-2011 12:48 AM

    Spot on, Manish. You are totally right!!! Static PAT does not work with DNS doctoring as the public ip address can be translated to multiple internal address with different ports.

    The only option you have then Jill is to use the private ip address to connect instead of the name when you are connecting from the inside as your current setup does not allow DNS doctoring.

    0 Helpful
    Customers Also Viewed These Support Documents
    Review Cisco Networking products for a $25 gift card