cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5544
Views
0
Helpful
20
Replies

FTPserver in DMZ + Dual ISP

RoelBeelen
Level 1
Level 1

Hi Guys,

I'm trying for the last 3 days to get FTP work in my DMZ. In fact the FTPserver itself works, because i can FTP from the inside to the DMZ. But from the Outside to the DMZ i don't get it working.

The situation:

See the network diagram for details.

ASAnetwork.jpg

2x ASA5505 in Active/Standby

5 interfaces: Inside, Outside, Backup and DMZ, Managment

ISP A is tracked, if it goes down automaticly switchover to ISP B.

Two different public IP addresses: ISP A = 1.1.1.x / 29 ISP B = 2.2.2.x / 29. So with each ISP we have about 5 or 6 public IP addresses.

DMZ = 192.168.253.0 /24 DMZ interface = 192.168.253.1 FTT = 192.168.253.2

The problem:

The FTP server in the DMZ is not accessible from the internet. ASDM's Packet Tracer keeps dropping at the NAT rule.

From the DMZ to the outside everything is passing, according to Packet Tracer. Also from the Inside to the DMZ i can ftp.

Another question:

We have two different public IP ranges. Our customers reach the ftp by DNS name: ftp.company.com

How can i achive that the FTPserver is still accessible when our primary ISP fails, and the routing occurs via ISP B (= other public ip range). Something with DNS?

Below is the (sanetized) config (sensitive info is deleted):

ASA Version 7.2(4) 
!
hostname PK1-FW1
domain-name default.domain.invalid
enable password 7eiKHCMaZZwOv/Ls encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Vlan1
 description Connected to internal LAN
 nameif inside
 security-level 100
 ip address 192.168.254.2 255.255.255.0 standby 192.168.254.3 
!
interface Vlan2
 description Connected to primary ISP
 nameif outside
 security-level 0
 ip address 1.1.1.2 255.255.255.252 
!
interface Vlan3
 description Connected to backup ISP
 nameif backup
 security-level 0
 ip address 2.2.2.2 255.255.255.248 
!
interface Vlan4
 description For management purposes only!
 nameif Management
 security-level 100
 ip address 192.168.4.5 255.255.255.0 standby 192.168.4.6 
 management-only
!
interface Vlan253
 nameif DMZ
 security-level 50
 ip address 192.168.253.1 255.255.255.0 
!
interface Vlan255
 description LAN Failover Interface
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
 switchport access vlan 253
!
interface Ethernet0/4
 switchport access vlan 4
!
interface Ethernet0/5
 switchport access vlan 255
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group network Department_Vlans
 description Vlans per department
object-group network Allowed_FTP
 description Clients/Departments allowed to use FTP
object-group service Allowed_Protocols tcp
 description group of allowed protocols
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
 group-object Allowed_Protocols
object-group service DM_INLINE_TCP_2 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group service Allow_SVN tcp-udp
 port-object eq 888
object-group service TCP_Allow_Filesharing_Inside-DMZ tcp
 port-object eq 135
 port-object eq 445
 port-object eq netbios-ssn
object-group service UDP_Allow_Filesharing_Inside-DMZ udp
 port-object eq netbios-ns
object-group service DM_INLINE_TCP_3 tcp
 port-object eq ftp
 port-object eq ftp-data
object-group service Allow_FileSharing_FTP01 tcp-udp
 port-object eq 135
 port-object eq 137
 port-object eq 139
 port-object eq 445
object-group service Allowed_FTP01_Protocols tcp
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
 port-object eq domain
object-group service Allow_FTP tcp
 port-object eq ftp
 port-object eq ftp-data
object-group network DM_INLINE_NETWORK_1
 network-object Servers 255.255.255.0
 network-object ICT 255.255.255.0
access-list backup_access_in extended permit icmp any any echo-reply 
access-list backup_access_in extended permit object-group TCPUDP any interface backup object-group Allow_SVN 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside_access_in extended permit object-group TCPUDP any interface outside object-group Allow_SVN 
access-list outside_access_in extended permit tcp any host FTP01 object-group DM_INLINE_TCP_3 
access-list inside_access_in extended permit object-group TCPUDP any any eq domain 
access-list inside_access_in extended deny ip Productie-No-Internet 255.255.255.0 any 
access-list inside_access_in extended permit ip object-group Migration_group any 
access-list inside_access_in extended permit tcp Servers 255.255.255.0 any eq smtp 
access-list inside_access_in extended deny tcp Servers 255.255.255.0 any eq smtp 
access-list inside_access_in extended permit ip Servers 255.255.255.0 any 
access-list inside_access_in extended permit tcp object-group Department_Vlans any object-group Allowed_Protocols 
access-list inside_access_in extended permit tcp object-group Allowed_FTP any object-group DM_INLINE_TCP_2 
access-list inside_access_in extended permit tcp any any object-group bittorrent 
access-list 110 extended permit ip Default_Vlan 255.255.0.0 192.168.253.0 255.255.255.0 
access-list DMZ_access_in extended permit ip any any 
access-list DMZ_access_in extended permit icmp any any echo 
access-list DMZ_access_in extended permit tcp any any object-group Allowed_FTP01_Protocols 
access-list DMZ_access_in extended permit object-group TCPUDP host FTP01 object-group DM_INLINE_NETWORK_1 object-group Allow_FileSharing_FTP01 
access-list OUTSIDE_IN extended permit tcp any host FTP01 object-group Allow_FTP 
access-list OUTSIDE_IN extended permit icmp any any echo-reply 
access-list OUTSIDE_IN extended permit object-group TCPUDP any interface outside object-group Allow_SVN 
pager lines 24
logging enable
logging list test level notifications
logging buffered warnings
logging asdm warnings
mtu inside 1500
mtu outside 1500
mtu backup 1500
mtu Management 1500
mtu DMZ 1500
ip verify reverse-path interface inside
ip verify reverse-path interface Management
ip audit name Attack attack action alarm
ip audit name Info info action alarm
ip audit interface inside Info
ip audit interface inside Attack
ip audit interface outside Info
ip audit interface outside Attack
ip audit interface backup Info
ip audit interface backup Attack
ip audit interface DMZ Info
ip audit interface DMZ Attack
failover
failover lan unit secondary
failover lan interface failover Vlan255
failover polltime unit 1 holdtime 3
failover polltime interface 1 holdtime 5
failover interface ip failover 192.168.255.1 255.255.255.252 standby 192.168.255.2
monitor-interface inside
monitor-interface outside
monitor-interface backup
monitor-interface Management
monitor-interface DMZ
icmp unreachable rate-limit 10 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 0 access-list 110
nat (inside) 1 Default_Vlan 255.255.0.0 dns
nat (DMZ) 1 192.168.253.0 255.255.255.0
static (inside,outside) tcp interface 888 192.168.0.194 888 netmask 255.255.255.255  dns 
static (inside,backup) tcp interface 888 192.168.0.194 888 netmask 255.255.255.255  dns 
static (inside,backup) udp interface 888 192.168.0.194 888 netmask 255.255.255.255  dns 
static (inside,outside) udp interface 888 192.168.0.194 888 netmask 255.255.255.255  dns 
static (DMZ,outside) tcp interface ftp FTP01 ftp netmask 255.255.255.255  dns 
static (DMZ,outside) tcp interface ftp-data FTP01 ftp-data netmask 255.255.255.255  dns 
access-group inside_access_in in interface inside
access-group OUTSIDE_IN in interface outside
access-group backup_access_in in interface backup
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 213.125.16.81 1 track 1
route backup 0.0.0.0 0.0.0.0 188.201.212.129 254
!
router rip
 network 192.168.254.0
 passive-interface outside
 passive-interface backup
 passive-interface Management
 passive-interface DMZ
 default-information originate
 version 2
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.4.0 255.255.255.0 Management
http ICT 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
fragment chain 1 inside
fragment chain 1 outside
fragment chain 1 backup
fragment chain 1 Management
fragment chain 1 DMZ
sla monitor 123
 type echo protocol ipIcmpEcho 213.51.160.52 interface outside
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
service resetoutside
crypto ipsec transform-set TRANS_ESP_AES-256_SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_AES-256_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_AES-256_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
!
track 1 rtr 123 reachability
telnet timeout 5
ssh ICT 255.255.255.0 inside
ssh 192.168.4.0 255.255.255.0 Management
ssh timeout 5
ssh version 2
console timeout 0
management-access Management
ntp server 193.67.79.202 prefer
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
  id-randomization
  id-mismatch action log
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:0289a7cab68afeb8fde4d99723647e99
: end

Thanks in advance.

1 Accepted Solution

Accepted Solutions

Hello,

Please try the following:

Assume that the free IP is 1.1.1.3

static (DMZ,outside) 1.1.1.3 FTP01 netmask 255.255.255.255 dns

With regard to your problem of manual failover, the issue is with the ISP's

not allowing traffic sourced from IP that does not belong to their IP range.

They will not be advertising each other's subnets, so when your primary goes

down, the subnet belonging to your primary ISP will be down. Most common

practice is to modify the DNS entry (or add dual DNS entries to the same

server). I would suggest you to work with your DNS people to ensure that

they track the primary IP and when the primary IP is not reachable, they

report the secondary IP.

Hope this helps.

Regards,

NT

View solution in original post

20 Replies 20

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

From your configuration, it seems like you have mapped the FTP server to

your interface IP. This configuration is supported as long as the client and

server communicate via Active FTP mode. When the FTP mode is passive, the

client opens the connections. The data port is not fixed to 20. Instead, the

server opens up a port greater than 1023 and sends that information to the

client. If you do not have a translation for that port, the firewall cannot

forward requests coming onto that port on the outside interface to the

inside server. Can you please try the following:

no static (DMZ,outside) tcp interface ftp FTP01 ftp netmask 255.255.255.255

dns

no static (DMZ,outside) tcp interface ftp-data FTP01 ftp-data netmask

255.255.255.255 dns

static (DMZ,outside) ftp FTP01 netmask 255.255.255.255

dns

This should map all the ports of that public IP to the FTP server. With

regard to your second question about secondary ISP and access to the FTP

server, you are right. You need to work with the DNS and make changes to the

DNS.

Hope this helps.

Regards,

NT

Hi NT,

Thanks for your answer, but it's not working. As i copy past your command then i get a syntax error. If i replace the command with:

static (DMZ,outside) FTP01 netmask 255.255.255.255 dns

then i get: ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address

ASA's can be complex........

Regarding the FTP and DNS question:

each time the primary line fails i've to edit our A record on the ISP's DNS server. besides it, mostly it takes one to two days to replicate DNS.

I need a solution that automaticly reroutes the traffic.

We've some spare public ip addresses available from both ISP's. Only the ranges are different. if i could configure tha ASA such way that i map a spare public ip (for example from ISP A 1.1.1.3) to our ftp server, and is reachable independendly what ISP is active at that moment.

Hello,

Please try the following:

Assume that the free IP is 1.1.1.3

static (DMZ,outside) 1.1.1.3 FTP01 netmask 255.255.255.255 dns

With regard to your problem of manual failover, the issue is with the ISP's

not allowing traffic sourced from IP that does not belong to their IP range.

They will not be advertising each other's subnets, so when your primary goes

down, the subnet belonging to your primary ISP will be down. Most common

practice is to modify the DNS entry (or add dual DNS entries to the same

server). I would suggest you to work with your DNS people to ensure that

they track the primary IP and when the primary IP is not reachable, they

report the secondary IP.

Hope this helps.

Regards,

NT

Hi NT,

Thanks for the reply. i've had tried the command you suggested already before, but it didn't work. But i got an idea.

When you look in the config by vlan 2 (outsite) you see the following:

interface Vlan2
description Connected to primary ISP
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.252

i've specified a /30 subnetmask for peer to peer communication with the modem. When i change the subnetmask into /29 (as we have got 5 public IP's from our ISP) the 1.1.1.3 or 4 or 5 address is recognised as part of the range, though?

maybe then i get resonse when i FTP to new public ip address. I will try it tomorrow when i got to work.

Goodmorning NT and others,

this morning i change the outside interfaces' subnetmask from 252 to 248, so that the available public IP addresses are within the range.

After that i gave the command static (DMZ,outside) 1.1.1.3 FTP01 netmask 255.255.255.255 dns

The command is accepted but the FTP server still isn't reachable. When i test with the Packet Tracer, it keeps failing with NAT. Is my ASA config wrong or so?

I've attached a screenshot of Packet Tracer.

I don't know what to do to get it working. Can it be that hard?:P

About the DNS story:

I'm the only network administrator at the company (were're fairly small with 100 desktops) So i guess i have to contact our ISP's to discuss our needs.

PS: I've edited the outside IP's for security reasons;)

Hi Roel,

The reason why you are seeing the packet-tracer fail is because you have specified the destination IP address as 192.168.253.2 which is the real IP of the FTP server. Try specifying it as 1.1.1.3 which is the translated IP address of the FTP server on the outside which will also be the IP address the users will try to access from the internet.

With regards to why the users are not able to FTP into the server, are the users using "Active" or "Passive" FTP for the same? Please enable logging on the ASA and get the logs when a user tries to access the FTP server as well. That way we can see if there are any drops by the ASA.

All the best!

Regards,

Prapanch

Hi PR,

Thanks for the reply. I've tested your suggestion with Packet Tracer, and indeed the packet comes through!. But i can't reach the ftp server yet.

When i ftp from the inside to DMZ, i see PASV commands passing, so i use passive FTP.

Also i've configured an inspect map for ftp like this:

class-map inspection_default
match default-inspection-traffic

policy-map global_policy
class inspection_default
  inspect ftp

service-policy global_policy global

Also in the FTP server i specified the port range for passive ftp: 15000 - 15500.

I suggest we do a couple of things here.

1> Enable buffered logging on the ASA and get those logs when trying to access the FTP server.

logging enable

logging buffered debugging

2> When a user tries to access the FTP server, get the set messages that we see on the server with regards to that particular connection.

Also, if possible, we can apply captures on the ASA on both the outside and DMZ interfaces and get those in a .pcap format for detailed analysis.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Thanks and Regards,

Prapanch

i turned on logging as you said. Regarding connecting users:

When i FTP from inside to DMZ i can see activity at the FTP server's log.

But when i try to connect from outside to DMZ, nothing happens on the ftp server. It seems that the outside connection doesn't come that far.

On the clientside i get an ETIMEDOUT - Connection attempt timed out.

To capture traffic, i have to upgrade my ASA and ASDM software first. I plan it for this evening. In the mean time, i've turned on logging. where can i view my loggings?

I'm quite familiar with Cisco products, but not with ASA's.....

Hi,

You should be able to see the logs by giving "show logg". Also, captures should be available on version 7.2(4) which I assume is the one you are running based on the running-config initially attached.

I apologize as i skipped this detail before but i think the problem could be with the access-list on the outside interface of your ASA:

access-list OUTSIDE_IN extended permit tcp any host FTP01 object-group Allow_FTP 
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit object-group TCPUDP any interface outside object-group Allow_SVN

We have allowed traffic to the real IP of the server 192.168.253.2. on the 1st line. Try modifying it ot the translated IP of 1.1.1.3 as below. We should be
good to go then:

access-list OUTSIDE_IN extended permit tcp any host 1.1.1.3

All the best!!

Thanks and Regards,
Prapanch

Hi PR,

Thanks for the reply. Regarding the last command, also that doesn't turn things...

I've place the rule first in row, but nothing seems to happen.

Also isn't it a huge security risk to allow the full TCP stack on the outside?

About the capure feature in ASDM, i don't see such function in the Tools menu. Also when i click on the menu Wizard, the Startup wizard and High Availablity Wizard doesn't function. i can click on it thousand times but nothing happend. Now i don't need those functions as i've already configured those via the CLI.

But i can't stay forever on 5.2 though...:P

Are you seeing hit counts on the access-list using "show access-list OUTSIDE_IN" when trying to connect from the client to the server? I suggest getting the captures in addition to this for analysis.

"Also isn't it a huge security risk to allow the full TCP stack on the  outside?"

Yes it is a risk and it is better to restrict it to just the necessary ports. I had given that one just as an example.

Regards,

Prapanch

I've upgraded the ASA software and ASDM software. Everything went smooth.

I'll come back tomorrow with capture results.

As for now, the Access list doesn't show any hits... hmm. Are my interfaces wrong configured???

Hmmm.. If you aren't seeing hit counts, then the packets may not even be reaching your firewall. Captures sohuld confirm that if that indeed is the case.

Review Cisco Networking for a $25 gift card