Solved: FTP

Lewis_Cipher · ‎02-11-2011

I am trying to NAT my FTP to the outside. I can't get to that IP. Am I missing something? I have FTP allowed in access rules.

For NAT

static NAT

inside - to the internal IP

Outside - external IP

I can ping the server from firewall internally. What else can I do to test?

PAUL GILBERT ARIAS · ‎02-16-2011

I don't think the problem is with the inspect. The FTP FEAT command is entered succesfully but the responses a

re not. You can check the show service-policy and check if the inspect ftp has drops:

ASA-1# sh service-policy

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 672, drop 0, reset-drop 0

View solution in original post

PAUL GILBERT ARIAS · ‎02-11-2011

are you trying a static NAT for your FTP server?

For example:

FTP 192.168.1.10

NATed IP 66.12.66.10

stat (inside,outside) 66.12.66.10 192.168.1.10

Is that what you are trying?

Lewis_Cipher · ‎02-11-2011

yes, do I have all the info correct?

PAUL GILBERT ARIAS · ‎02-11-2011

if you have a similar static NAT it seems correct. Are there any ACLs on the inside interface that could prevent the traffic from going out. Is the NATed IP on your range of outside IPs?

If you can send the config it would be great.

Lewis_Cipher · ‎02-11-2011

sent via private message....

PAUL GILBERT ARIAS · ‎02-11-2011

thanks for the config. If you are trying to allow FTP traffic from the outside to the inside it won't work since you are denying the traffic in the first two lines of your access-l outside_access_in.

Is this the test that you are trying? FTP to the SGA_Website_NAT address coming from the outside?

Lewis_Cipher · ‎02-11-2011

Hey Paul,

The Deny is on purpose unti l can get it to work I have it on deny. Yes the NAT is SGA_Website_NAT. It is called website becasue we got rid of that and I changed the nat for our FTP server now. I can get to the website internally, but not externally, when I try the NAT ip address on the outside...

PAUL GILBERT ARIAS · ‎02-11-2011

do you see hitcounts on the ACL after the testing? If there are not hitcounts that means that the traffic is not getting to your ASA.

Lewis_Cipher · ‎02-11-2011

It is weird becasue I do see hit counts, but can't get to address.

PAUL GILBERT ARIAS · ‎02-11-2011

Your FTP server has a default gateway? It should be your ASA 10.1.101.1. Make sure the FTP service is up.

Lewis_Cipher · ‎02-14-2011

I can get to the FTP Internally, I can ping the FTP from the ASA. I can't get the external IP to hit the internal via the internet. This one is bugging me. I run a packet trace from the External IP to the ASA and the packet succeeds. The Gateway of the FTP is the ASA IP. The services are running because I can get the FTP site in the DMZ zone. Any othe ideas?

PAUL GILBERT ARIAS · ‎02-14-2011

do you have any other filtering device such as an IPS?

We could set some captures on the ASA inside interface to see if the packet returns to the ASA and how it returns.

Lewis_Cipher · ‎02-14-2011

I am getting a failure when packet tracing from ASA to the FTP server on inside interface. Do I need to allow this internally... Any Less secure networks are allowed IP...

PAUL GILBERT ARIAS · ‎02-14-2011

if the traffic is coming from outside to inside you just need the ACLs on the outside. Also make sure you have the inspect ftp on your policy map

Lewis_Cipher · ‎02-15-2011

Inspect FTP on Policy Map?