08-21-2012 04:09 AM - edited 03-11-2019 04:44 PM
Hi all,
I have an ASA 5515 and four FTP server. Currently I have everything configured properly for three of the server that I need. For the fourth I have two possibilities:
1) use the IP configured for the external interface.
2) use one of the ip used for other FTP but uses another port.
Is possible option 1? I did not succeed.
I was then trying to use this configuration:
<public ip>: 2121 -> <internal ip> 21
<public ip>: 2120 -> <internal ip> 20
The problem is that I can just log in but not access to the folders.
I changed the service policy as well but still not working:
class-map inspection_default
match default-inspection-traffic
class-map FTP-2121
match port tcp range 2120 2121
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect esmtp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
class FTP-2121
inspect ftp
Here is the output of sh service-policy:
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: ftp, packet 186535, lock fail 0, drop 188, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 6539637, lock fail 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: http, packet 1581437285, lock fail 0, drop 0, reset-drop 0
Inspect: netbios, packet 105420, lock fail 0, drop 0, reset-drop 0
Inspect: pptp, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: rsh, packet 7, lock fail 0, drop 0, reset-drop 0
Inspect: rtsp, packet 3857828, lock fail 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sip , packet 3, lock fail 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sqlnet, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: sunrpc, packet 0, lock fail 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0
Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0
Class-map: FTP-2121
Inspect: ftp, packet 0, lock fail 0, drop 0, reset-drop 0
Solved! Go to Solution.
08-22-2012 03:03 AM
Hi bro
If you were you, to achieve this requirement, I wouldn't use MPF. To much work, for a simple requirement. What I would do is as shown below;
static (inside,outside) tcp 202.188.1.14 2120 10.10.10.14 20 netmask 255.255.255.255
static (inside,outside) tcp 202.188.1.14 2121 10.10.10.14 21 netmask 255.255.255.255
access-list acl_outside permit tcp any host 202.188.1.14 range 20 21
access-group acl_outside in interface outside
Note: Please remove all the MPF commands that you've inserted, back to default.
08-22-2012 03:03 AM
Hi bro
If you were you, to achieve this requirement, I wouldn't use MPF. To much work, for a simple requirement. What I would do is as shown below;
static (inside,outside) tcp 202.188.1.14 2120 10.10.10.14 20 netmask 255.255.255.255
static (inside,outside) tcp 202.188.1.14 2121 10.10.10.14 21 netmask 255.255.255.255
access-list acl_outside permit tcp any host 202.188.1.14 range 20 21
access-group acl_outside in interface outside
Note: Please remove all the MPF commands that you've inserted, back to default.
08-24-2012 06:34 AM
It works!
The problem was the test that I did: there are restrictions on the use of ftp client and when I tried I could not make the list of folders. Changing client works!
Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: