Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
485
Views
0
Helpful
4
Replies

FTP not working when ACL is applied on outside interface

Go to solution
mahesh18
Level 6
Level 6

‎07-04-2013 07:34 PM - edited ‎03-11-2019 07:07 PM

Hi Everyone,

I am trying to FTP  from the PC  behind the DMZ  interface.

I have config the ACL to allow FTP from outside interface direction is outside.

I can make the FTP work by config of ACL on the DMZ interface but i want to test it so that it can work from my PC behind DMZ interface when i apply ACL on the  outside interface direction is out.

I have attached the asa config.

Need to know if there is any way under current config that FTP can work without applying ACL to DMZ interface?

Labels:
15363578-asa1.txt.zip
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎07-04-2013 10:32 PM

I can't look at your config at the moment (doesn't work on the iPad), but one alternative to an ACL on the DMZ interface could be to use a global ACL.


Sent from Cisco Technical Support iPad App

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to pankaj29in

‎07-05-2013 01:37 AM 

Apply that acl in incoming direction on outside interface.

no, the ASA is a statefull Firewall with FTP-Inspection. You never need an incoming ACL in the outside interface for outbound FTP when you have a proper config.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎07-04-2013 10:32 PM

I can't look at your config at the moment (doesn't work on the iPad), but one alternative to an ACL on the DMZ interface could be to use a global ACL.


Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
pankaj29in
Level 1
Level 1
In response to Karsten Iwen

‎07-05-2013 01:11 AM

Hi Mahesh,

Apply that acl in incoming direction on outside interface.

Cheers

Pankaj

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to pankaj29in

‎07-05-2013 01:37 AM 

Apply that acl in incoming direction on outside interface.

no, the ASA is a statefull Firewall with FTP-Inspection. You never need an incoming ACL in the outside interface for outbound FTP when you have a proper config.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Karsten Iwen

‎07-05-2013 07:47 AM

Hi Karsten,

Your answers are good to read and they  have so much knowledge.

For time being i allowed ftp to any destination from DMZ  but on outbound interface direction out  i have restricted it with

certain IP  which are allowed.

Best regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card