cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2569
Views
0
Helpful
11
Replies

Need help for FTP Port Forwarding behind ASA

it_casino-f
Level 1
Level 1

Hi to all,

I am new in the cisco world but im trying my best to learn more ;-)

I want to setup an IIS FTP Server behind ASA, works fine in LAN but Im still not able to access it from outside, I've read lot of guides for the past 3-4 days

but still I didnt succed to make it. Dont know what Im doing wrong, hope I will find help here

here is the running conf from my ASA (it is not configured by me, only the ftp part (nat, network object..)

ASA Version 8.4(2)

!

hostname ciscoasa

enable password 9S9HjwYX3Cu6MYv/ encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

ddns update method DynDNS

ddns

interval maximum 0 0 30 0

!

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

allow-ssc-mgmt

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 197.254.3.250 255.255.255.248

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 196.200.16.2

name-server 196.200.16.27

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Office_Network

subnet 10.1.2.0 255.255.255.0

object network Guests

subnet 10.1.4.0 255.255.255.0

object network Slot_Network

subnet 10.10.0.0 255.255.0.0

object network Surveillance

subnet 10.1.3.0 255.255.255.0

object network Switch_Mgmt

subnet 10.1.15.0 255.255.255.0

object network NETWORK_OBJ_172_20_254_0_24

subnet 172.20.254.0 255.255.255.0

object network Surveillance_Terminals

range 10.1.3.31 10.1.3.40

object network NETWORK_OBJ_10.1.3.0_24

subnet 10.1.3.0 255.255.255.0

object network Core_Switch

host 192.168.1.4

object network ASA_Outside

host 197.254.3.250

object network ASA_Inside

subnet 192.168.1.0 255.255.255.0

object network NETWORK_OBJ_172.29.254.0_24

subnet 172.29.254.0 255.255.255.0

object network NETWORK_OBJ_192.168.1.0_24

subnet 192.168.1.0 255.255.255.0

object network NETWORK_OBJ_192.168.12.0_27

subnet 192.168.12.0 255.255.255.224

object network IakosVPN

subnet 10.0.0.0 255.255.255.240

object network Iakos_Outside

host 82.131.211.54

object network Iakos

host 82.131.211.54

object network ITM

host 10.1.2.8

object network FTP_Server

host 10.1.2.10

object-group network Casino_Allowed

description Allowed for Internet

network-object 192.168.1.0 255.255.255.0

network-object object Guests

network-object object Office_Network

network-object object Surveillance_Terminals

network-object object NETWORK_OBJ_172_20_254_0_24

object-group network Casino

network-object 192.168.1.0 255.255.255.0

network-object object Guests

network-object object Office_Network

network-object object Slot_Network

network-object object Surveillance

network-object object Switch_Mgmt

access-list Tunel1_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list Tunel1_splitTunnelAcl standard permit 10.1.2.0 255.255.255.0

access-list Tunel1_splitTunnelAcl standard permit 10.1.3.0 255.255.255.0

access-list Tunel1_splitTunnelAcl standard permit 10.1.4.0 255.255.255.0

access-list Tunel1_splitTunnelAcl standard permit 10.1.15.0 255.255.255.0

access-list Tunel1_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0

access-list inside_access_in extended permit ip object-group Casino object NETWORK_OBJ_172_20_254_0_24

access-list inside_access_in extended permit ip object-group Casino_Allowed any

access-list outside_mpc extended permit ip any any

access-list global_mpc extended permit ip any any

access-list s-tunnel_splitTunnelAcl standard permit 10.1.3.0 255.255.255.0

access-list outside_cryptomap extended permit ip object ASA_Inside object IakosVPN

access-list k-tunnel_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list outside_access_in extended permit tcp any interface outside eq ftp

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN_Pool 192.168.12.1-192.168.12.25 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic Casino_Allowed interface

nat (inside,inside) source dynamic any interface destination static Casino Casino inactive

nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_172.29.254.0_24 NETWORK_OBJ_172.29.254.0_24 no-proxy-arp route-lookup

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.12.0_27 NETWORK_OBJ_192.168.12.0_27 no-proxy-arp route-lookup

nat (outside,inside) source static any any destination static Slot_Network Slot_Network

nat (inside,outside) source static ASA_Inside ASA_Inside destination static IakosVPN IakosVPN no-proxy-arp route-lookup inactive

!

object network FTP_Server

nat (inside,outside) static FTP_Server service tcp ftp ftp

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

!

router eigrp 100

network 192.168.1.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 197.254.3.249 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication telnet console LOCAL

aaa authentication enable console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.1.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto map outside_map0 1 match address outside_cryptomap

crypto map outside_map0 1 set peer 82.131.211.54

crypto map outside_map0 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map0 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map0 interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

subject-name CN=ciscoasa

crl configure

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable inside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet 10.1.2.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

no vpn-addr-assign dhcp

dhcp-client update dns server both

dhcpd dns 196.200.16.2 196.200.16.27

dhcpd lease 691200

dhcpd auto_config outside

dhcpd option 33 ip 10.1.0.0 192.168.1.4

!

dhcpd address 192.168.1.5-192.168.1.132 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 78.41.115.242 prefer

ntp server 62.178.1.13

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

anyconnect enable

tunnel-group-list enable

tunnel-group-preference group-url

group-policy DfltGrpPolicy attributes

dns-server value 196.200.16.2 196.200.16.27

group-policy GroupPolicy_82.131.211.54 internal

group-policy GroupPolicy_82.131.211.54 attributes

vpn-tunnel-protocol ikev1 ikev2

group-policy k-tunnel internal

group-policy k-tunnel attributes

dns-server value 196.200.16.2 196.200.16.27

vpn-tunnel-protocol ikev1 ikev2

split-tunnel-policy tunnelspecified

split-tunnel-network-list value k-tunnel_splitTunnelAcl

default-domain none

group-policy s-tunnel internal

group-policy s-tunnel attributes

wins-server none

dns-server value 8.8.8.8

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value s-tunnel_splitTunnelAcl

default-domain none

username admin password NfoaTNzlDvQAugvm encrypted privilege 15

username admin attributes

service-type nas-prompt

username kflg password QMcOmsDwXsvazrlO encrypted

username slotadmin password N2hAEXC/1o9tVCBF encrypted

tunnel-group k-tunnel type remote-access

tunnel-group k-tunnel general-attributes

default-group-policy k-tunnel

tunnel-group k-tunnel ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group s-tunnel type remote-access

tunnel-group s-tunnel general-attributes

address-pool VPN_Pool

default-group-policy s-tunnel

tunnel-group s-tunnel ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 82.131.211.54 type ipsec-l2l

tunnel-group 82.131.211.54 general-attributes

default-group-policy GroupPolicy_82.131.211.54

tunnel-group 82.131.211.54 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

class-map outside-class

match access-list outside_mpc

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

class class-default

  user-statistics accounting

policy-map outside-policy

class outside-class

  ips inline fail-open

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:e5ebf9096c9c2b753caeb3e5e1d335bc

: end

11 Replies 11

Abzal
Level 7
Level 7

Hi Kosta,

First of all you need for this one public IP address. I see you have subnet 197.254.3.250/29. Just choose one real IP from this subnet. For example let's choose 197.254.3.251. And from configuration I see your FTP server IP address is 10.1.2.10, please correct me if  I'm wrong.

static (inside, outside) tcp 197.254.3.251 ftp 10.1.2.10 ftp netmask 255.255.255.255

static (inside, outside) tcp 197.254.3.251 ftp-data 10.1.2.10 ftp-data netmask 255.255.255.255

You also you need to fix your outside to ACL:

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in extended permit tcp any interface outside eq ftp-data

And refer this link

https://supportforums.cisco.com/docs/DOC-2053

Hope it will help.

Please rate helpful posts.

Best regards,
Abzal

Thanks for trying to help me!

Im getting this error when trying to create static route

This syntax of nat command has been deprecated.

what this means?

What is version of your ASA? This error appears when you try commands above I showed?

Best regards,
Abzal

ASA 8.4(2)

Yes on the first command im gettin this error

Ok, then try this one, change your FTP_Server object group:

object network FTP_Server

host 10.1.2.10

nat (inside,outside) static 197.254.3.251 service tcp ftp ftp

Note. I assume that your FTP is 10.1.2.10 and real IP is 197.254.3.251.

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html#wp1106703

Hope it will help.

Please rate helpful posts.

Best regards,
Abzal

my outside interface is configured directly to the external ip (197.254.3.250)

I have reserver 5 ip's from the provider for me (197.254.3.249-197.254.3.254)

should I make the nat to another address or *250?

Yes, you need to choose another one any IP address from 197.254.3.251 - 197.254.3.254 range. Because .250 is your outside interface, .249 is ISPs interface's IP addresses. And map it to internal IP of FTP.

Abzal

Best regards,
Abzal

Good afternoon,

Im still not able to solve my problem, here is my running config this time.

Result of the command: "sh run"

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

enable password 9S9HjwYX3Cu6MYv/ encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

ddns update method DynDNS

ddns

interval maximum 0 0 30 0

!

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

allow-ssc-mgmt

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 197.254.3.250 255.255.255.248

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 196.200.16.2

name-server 196.200.16.27

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Office_Network

subnet 10.1.2.0 255.255.255.0

object network Guests

subnet 10.1.4.0 255.255.255.0

object network Slot_Network

subnet 10.10.0.0 255.255.0.0

object network Surveillance

subnet 10.1.3.0 255.255.255.0

object network Switch_Mgmt

subnet 10.1.15.0 255.255.255.0

object network NETWORK_OBJ_172_20_254_0_24

subnet 172.20.254.0 255.255.255.0

object network Surveillance_Terminals

range 10.1.3.31 10.1.3.40

object network NETWORK_OBJ_10.1.3.0_24

subnet 10.1.3.0 255.255.255.0

object network Core_Switch

host 192.168.1.4

object network ASA_Outside

host 197.254.3.250

object network ASA_Inside

subnet 192.168.1.0 255.255.255.0

object network NETWORK_OBJ_172.29.254.0_24

subnet 172.29.254.0 255.255.255.0

object network NETWORK_OBJ_192.168.1.0_24

subnet 192.168.1.0 255.255.255.0

object network NETWORK_OBJ_192.168.12.0_27

subnet 192.168.12.0 255.255.255.224

object network IakosVPN

subnet 10.0.0.0 255.255.255.240

object network Iakos_Outside

host 82.131.211.54

object network FTP_Server

host 10.1.2.10

object-group network Casino_Allowed

description Allowed for Internet

network-object 192.168.1.0 255.255.255.0

network-object object Guests

network-object object Office_Network

network-object object Surveillance_Terminals

network-object object NETWORK_OBJ_172_20_254_0_24

object-group network Casino

network-object 192.168.1.0 255.255.255.0

network-object object Guests

network-object object Office_Network

network-object object Slot_Network

network-object object Surveillance

network-object object Switch_Mgmt

access-list Tunel1_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list Tunel1_splitTunnelAcl standard permit 10.1.2.0 255.255.255.0

access-list Tunel1_splitTunnelAcl standard permit 10.1.3.0 255.255.255.0

access-list Tunel1_splitTunnelAcl standard permit 10.1.4.0 255.255.255.0

access-list Tunel1_splitTunnelAcl standard permit 10.1.15.0 255.255.255.0

access-list Tunel1_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0

access-list inside_access_in extended permit ip object-group Casino object NETWORK_OBJ_172_20_254_0_24

access-list inside_access_in extended permit ip object-group Casino_Allowed any

access-list outside_mpc extended permit ip any any

access-list global_mpc extended permit ip any any

access-list s-tunnel_splitTunnelAcl standard permit 10.1.3.0 255.255.255.0

access-list outside_cryptomap extended permit ip object ASA_Inside object IakosVPN

access-list k-tunnel_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in extended permit tcp any interface outside eq ftp-data

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN_Pool 192.168.12.1-192.168.12.25 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic Casino_Allowed interface

nat (inside,inside) source dynamic any interface destination static Casino Casino inactive

nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_172.29.254.0_24 NETWORK_OBJ_172.29.254.0_24 no-proxy-arp route-lookup

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.12.0_27 NETWORK_OBJ_192.168.12.0_27 no-proxy-arp route-lookup

nat (outside,inside) source static any any destination static Slot_Network Slot_Network

nat (inside,outside) source static ASA_Inside ASA_Inside destination static IakosVPN IakosVPN no-proxy-arp route-lookup inactive

!

object network FTP_Server

nat (inside,outside) static 197.254.3.252 service tcp ftp ftp

access-group inside_access_in in interface inside

!

router eigrp 100

network 192.168.1.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 197.254.3.249 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication telnet console LOCAL

aaa authentication enable console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.1.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto map outside_map0 1 match address outside_cryptomap

crypto map outside_map0 1 set peer 82.131.211.54

crypto map outside_map0 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map0 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map0 interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

subject-name CN=ciscoasa

crl configure

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable inside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet 10.1.2.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

no vpn-addr-assign dhcp

dhcp-client update dns server both

dhcpd dns 196.200.16.2 196.200.16.27

dhcpd lease 691200

dhcpd auto_config outside

dhcpd option 33 ip 10.1.0.0 192.168.1.4

!

dhcpd address 192.168.1.5-192.168.1.132 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 78.41.115.242 prefer

ntp server 62.178.1.13

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

anyconnect enable

tunnel-group-list enable

tunnel-group-preference group-url

group-policy DfltGrpPolicy attributes

dns-server value 196.200.16.2 196.200.16.27

group-policy GroupPolicy_82.131.211.54 internal

group-policy GroupPolicy_82.131.211.54 attributes

vpn-tunnel-protocol ikev1 ikev2

group-policy k-tunnel internal

group-policy k-tunnel attributes

dns-server value 196.200.16.2 196.200.16.27

vpn-tunnel-protocol ikev1 ikev2

split-tunnel-policy tunnelspecified

split-tunnel-network-list value k-tunnel_splitTunnelAcl

default-domain none

group-policy s-tunnel internal

group-policy s-tunnel attributes

wins-server none

dns-server value 8.8.8.8

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value s-tunnel_splitTunnelAcl

default-domain none

username admin password NfoaTNzlDvQAugvm encrypted privilege 15

username admin attributes

service-type nas-prompt

username kflg password QMcOmsDwXsvazrlO encrypted

username timbatec password qYGb/8ZLEm0OZ3sj encrypted

username slotadmin password N2hAEXC/1o9tVCBF encrypted

tunnel-group k-tunnel type remote-access

tunnel-group k-tunnel general-attributes

default-group-policy k-tunnel

tunnel-group k-tunnel ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group s-tunnel type remote-access

tunnel-group s-tunnel general-attributes

address-pool VPN_Pool

default-group-policy s-tunnel

tunnel-group s-tunnel ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 82.131.211.54 type ipsec-l2l

tunnel-group 82.131.211.54 general-attributes

default-group-policy GroupPolicy_82.131.211.54

tunnel-group 82.131.211.54 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

class-map outside-class

match access-list outside_mpc

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

class class-default

  user-statistics accounting

policy-map outside-policy

class outside-class

  ips inline fail-open

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:9923be0a8c78f03ad6dbd8a55f6784b5

: end

Result of the command: "sh run"

Hi,

You need to fix this one from

object network FTP_Server

nat (inside,outside) static 197.254.3.252 service tcp ftp ftp

but should be like this

object network FTP_Server

host 10.1.2.10

nat (inside,outside) static 197.254.3.252 service tcp ftp ftp

Hope it will help.

Best regards,
Abzal

but after listing the object networks you can see that it is like that (without the nat part)

I executed exactly the commands you've type me

Do you have connectivity from ASA to Internet? If so, try to remove and rename it:

no object network FTP_Server

object network FTP_10_1_2_10

host 10.1.2.10

nat (inside,outside) static 197.254.3.252 service tcp ftp ftp

Best regards,
Abzal
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco