Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
423
Views
0
Helpful
0
Replies

Policy-based-Routing for FTP

robert.rosell
Level 1
Level 1

‎06-29-2017 01:01 AM - edited ‎03-12-2019 02:38 AM

HI Experts,

I'm trying to configure my ASA 5515-X (9.5(2)5) to split Business-critical traffic like SMTP, VPN, NTP on interface OUTSIDE with static IP's an Web-traffic like HTTP and FTP on interface INTERNET with dynamic IP. The default-route points to OUTSIDE.

Now i stuck on passive FTP...

The initial communication through port 21 is working. The following communication through a dynamically assigned port is blocked on OUTSIDE by any/any/deny.

I need to tell PBR dynamically to route the additional FTP-port through INTERNET. But how?

The config looks like this:

S*    0.0.0.0 0.0.0.0 [1/0] via DEUTSCHLAND_LAN, outside

route-map PBR-test permit 10
 match ip address PBR-ACL
 set ip next-hop 172.17.252.240
 set interface INTERNET

access-list PBR-ACL extended deny ip 192.1.2.0 255.255.255.0 192.1.2.0 255.255.255.0
access-list PBR-ACL extended permit object-group DM_INLINE_SERVICE_3 object-group DM_INLINE_NETWORK_1 any4

object-group service DM_INLINE_SERVICE_3
 service-object icmp
 service-object tcp-udp destination eq domain
 service-object tcp destination eq www
 service-object tcp destination eq https
 service-object tcp destination eq ftp

object-group network DM_INLINE_NETWORK_1
 network-object 192.1.2.0 255.255.255.0
 network-object object net-192.1.2.0_24

Thanks for your help

Greets

Robert

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card