Solved: Problems with ASA 5520

nachete1979 · ‎12-20-2007

Hello all,

I am having dificulties migrating from a PIX to an ASA 5520 8.0(3).

I have the nat translations of the DMZs servers and the access list in the outside interface as see below:

access-list outside_access_in extended permit tcp any host FTP range ftp-data ftp

static (DMZ,outside) x.y.z.a FTP netmask 255.255.255.255

But when i try to connect to the outside natted address, the log says that the connection is denied due to the access list.

when I try a sh nat DMZ FTP, it says:

match ip DMZ host FTP outside any

static translation to x.y.z.a

translate_hits = 0, untranslate_hits = 52

It seems it is not being translated

Any ideas?

acomiskey · ‎12-20-2007

access-list outside_access_in extended permit tcp any host FTP range ftp-data ftp

should be...

access-list outside_access_in extended permit tcp any host x.y.z.a range ftp-data ftp

acomiskey · ‎12-20-2007

access-list outside_access_in extended permit tcp any host FTP range ftp-data ftp

should be...

access-list outside_access_in extended permit tcp any host x.y.z.a range ftp-data ftp

nachete1979 · ‎12-21-2007

Then, my question is, does the ASA work in a different way than the PIX regarding access-list?

I mean, does pix do first nat and later control and asa vice versa?

BR

acomiskey · ‎12-21-2007

No, they work the same way.