11-10-2011 09:09 AM - edited 03-04-2019 02:14 PM
Hello Community,
I have a DMZ and an INISDE. I want to allow FTP traffic from one DMZ server to a particular FTP server on another subnet not handled by my ASA.
My ASA has a DMZ interface, INSIDE interface.
My INSIDE interface is connected to many other subnets via internal router.
So my DMZ server will have to go through the INSIDE itnerface subnet to reach this FTP server.
DMZ server: 192.168.220.21
FTP server: 10.10.10.5
INSIDE subnet: 192.168.210.0
Thanks in Advance.
11-10-2011 10:46 AM
Hi,
Post your current sanitized config and we will tell you the commands to add or modify
Regards.
Alain
11-10-2011 11:10 AM
You need to add an ACL on ASA to allow access from DMZ to INSIDE and make sure that you have the routing that your FTP_Subnet can reach back to DMZ subnet and vice versa...
Should you still have issues please post your config...
Regards,
Manny
11-16-2011 07:29 AM
Hello guys,
Sorry for the delay.
I am not sure if this command is correct:
access-list dmz_in extended permit tcp host 192.168.220.21 host 10.10.10.5 eq ftp
access-group dmz_in in interface inside
I definately dont think my access-group command is correct, but I think i'm close on my ACL. I dont have an access group for my dmz to inside (which I assume I need one)
I am also wondering if I need a static each dmz to inside opened port.
static (DMZ,inside) 10.10.10.5 192.168.220.21 netmask 255.255.255.255
Thanks
John
ciscodemo# sh run
: Saved
:
ASA Version 8.0(4)
!
hostname ciscodemo
domain-name arl.com
enable passworU.Tf7HhdwWvVGT3h encrypted
passwd 2KFQnIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 173.xx.xx.66 255.255.255.224
!
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 192.168.220.222 255.255.255.0
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.210.222 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name ari.com
same-security-traffic permit intra-interface
access-list outside_in extended permit tcp any host 173.xxx.xx.70 eq www
access-list outside_in extended permit tcp any host 173.xxx.xx.71 eq www
access-list vpn standard permit host 0.0.0.0
access-list inside_nat0_outbound extended permit ip 192.168.210.0 255.255.255.0 192.168.230.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.210.0 255.255.255.0 192.168.220.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.220.0 255.255.255.0 192.168.230.0 255.255.255.0
access-list vpn-dmz standard permit 192.168.220.0 255.255.255.0
access-list vpn-dmz standard permit 192.168.210.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu DMZ 1500
mtu inside 1500
ip local pool DMZ230 192.168.230.100-192.168.230.150 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (DMZ) 1 192.168.220.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.210.0 255.255.255.0
nat (inside) 1 192.168.230.0 255.255.255.0
static (DMZ,outside) 173.xxx.xx.70 192.168.220.10 netmask 255.255.255.255
static (DMZ,outside) 173.xxx.xx.71 192.168.220.21 netmask 255.255.255.255
access-group outside_in in interface outside
!
router rip
network 192.168.210.0
network 192.168.220.0
passive-interface DMZ
version 2
no auto-summary
!
route outside 0.0.0.0 0.0.0.0 173.xxx.xx.65 1
route outside 192.168.230.0 255.255.255.0 192.168.210.222 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.210.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
enable DMZ
svc enable
group-policy DMZAccess internal
group-policy DMZAccess attributes
vpn-tunnel-protocol IPSec svc
split-tunnel-policy excludespecified
split-tunnel-network-list value vpn
default-domain value arisgl.com
username syn-client4 password dIb97qfm6shciivc encrypted privilege 0
username syn-client4 attributes
vpn-group-policy DMZAccess
username syn-client5 password dIb97qfm6shciivc encrypted privilege 0
username syn-client5 attributes
vpn-group-policy DMZAccess
username syn-client2 password dIb97qfm6shciivc encrypted privilege 0
username syn-client2 attributes
vpn-group-policy DMZAccess
username syn-client3 password dIb97qfm6shciivc encrypted privilege 0
username syn-client3 attributes
vpn-group-policy DMZAccess
username syn-client1 password dIb97qfm6shciivc encrypted privilege 0
username syn-client1 attributes
vpn-group-policy DMZAccess
tunnel-group DMZAccess type remote-access
tunnel-group DMZAccess general-attributes
address-pool DMZ230
default-group-policy DMZAccess
tunnel-group DMZAccess ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ftp
inspect ipsec-pass-thru
inspect http
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:56c4f0314ac58686164da17
: end
ciscodemo#
11-16-2011 08:08 AM
access-list dmz_in extended permit tcp host 192.168.220.21 host 10.10.10.5 eq ftp
access-group dmz_in in interface inside
The access-list is correct, the access-group is not. Should be
access-group dmz_in in interface DMZ
Also add
static (inside,DMZ) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
Also this route isn't making sense to me as you said that the 192.168.210.0 network is inside. Therefore the path to to 230 network would not be on the outside inteface towards 192.168.210.222.
route outside 192.168.230.0 255.255.255.0 192.168.210.222 1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide