06-21-2002 11:51 AM - edited 03-08-2019 11:04 PM
Below is config for my pix I'm working with. However, I can't connect to FTP from the inside when allowing FTP ports both TCP and UDP. However, when I allow all ports (i.e. permit IP any any) it works fine. What gives?
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
ip address outside 12.163.44.4 255.255.255.0
ip address inside 192.168.1.253 255.255.255.0
ip address dmz 10.0.0.1 255.255.255.0
global (outside) 1 12.163.44.250-12.163.44.253 netmask 255.255.255.0
global (outside) 1 12.163.44.254 netmask 255.255.255.255
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (dmz,outside) 12.163.44.102 wadetest netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0
access-list 101 permit tcp any host wadetest eq ftp
access-list 101 permit tcp any host wadetest eq ftp-data
access-list 101 permit udp any host wadetest eq 20
access-list 101 permit udp any host wadetest eq 21
access-group 101 in interface outside
06-21-2002 09:57 PM
If your FTP server is on the DMZ, and you are trying to reach it from inside, then add following
nat (inside) 2 192.168.1.0 255.255.255.0
global (dmz) 2 x.x.x.x
HTH
R/Yusuf
06-25-2002 05:27 AM
That works. It will NAT the inside to the DMZ but now, how do I NAT to the Outside from the DMZ?
07-18-2002 09:15 PM
see NATing from DMZ to outside will requires only if you want to access outside i.e. internet from DMZ interface.if u want to give access to ftp server on DMZ from outside then combination of static and access-list commands is absolutely fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide