01-11-2013 11:14 AM - edited 03-08-2019 06:47 PM
Hi,
I have the following configuration on a Cisco ASA 8.2(5), all the traffic to the port 5000 and www 80 it's forward throught static NAT but i can't access to a FTP SERVER Windows and FTP Server Linux. ATtach is the configuration I would like to know what is causing the problems.
The FTP Server Are running locally without any problems, when I try to reach it for the Outside interface then i can't, this is in the only port i can't forward.
I really appreciate your help.
Thanks
ASA Version 8.2(5)
!
hostname ciscoasa
enable password dAWCvYvyr2FRISo5 encrypted
passwd dAWCvYvyr2FRISo5 encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.4.4
name-server 8.8.8.8
name-server 196.3.81.132
same-security-traffic permit intra-interface
object-group service TEST2 tcp
port-object eq www
port-object eq https
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255
.255.0
access-list 101 extended permit icmp any interface outside echo-reply
access-list 101 extended permit udp any any eq 5000
access-list 101 extended permit udp any any eq ntp
access-list 101 extended permit udp any 192.168.1.0 255.255.255.0 eq tftp
access-list 102 extended permit icmp any interface outside echo-reply
access-list 102 extended permit icmp any interface outside
access-list 102 extended permit ip any host 192.168.1.5
access-list 102 extended permit tcp any host 192.168.1.5 eq 5000
access-list 102 extended permit tcp any interface outside eq 5000
access-list 102 extended permit tcp any host 192.168.1.5 eq https
access-list 102 extended permit tcp any any eq 5000
access-list 102 extended permit ip any host 192.168.1.8
access-list 102 extended permit tcp any any eq telnet
access-list 102 extended permit tcp any interface outside object-group TEST2
access-list 102 extended permit ip any 192.168.1.0 255.255.255.0
access-list 102 extended permit tcp any interface outside eq www
access-list 102 extended permit tcp any interface outside eq ftp
access-list 102 extended permit tcp any interface outside eq ftp-data
access-list 103 extended permit udp any 192.168.1.0 255.255.255.0 eq tftp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 5000 192.168.1.5 5000 netmask 255.255.255.
255
static (inside,outside) tcp interface www 192.168.1.15 www netmask 255.255.255.2
55
static (inside,outside) tcp interface ftp 192.168.1.15 ftp netmask 255.255.255.2
55
static (inside,outside) tcp interface ftp-data 192.168.1.15 ftp-data netmask 255
.255.255.255
access-group 102 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 225.255.255.0 inside
telnet timeout 30
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.10-192.168.1.41 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cabelen password tJPt4MkXkeex6ITZ encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6280485f175c07a73317b7c4a607c370
: end
ciscoasa#
Hello
You have created document instead of discussion. That's why do not expect to see response.
Active FTP will not work, because client from internet send PORT command with it's private IP address telling the server where to connect to.
You would need ftp inspection on client site for tcp/5000 which is not common.
Passive FTP should work fine - but please put ftp inspection for class-map with port tcp/5000.
Hi Michael,
the port 5000 is attach to an IP camera and the port 80 is working for a web server, the only things don't want to foward is the FTP Server.
Hi
OK, for default port:
- passive mode should work fine: did you use passive mode ?
- active mode: for that we still could have problem if firewall on client site does not perform ftp inspection on default port (rewriting PORT command from private to public IP)
If you still have problems with passive mode please run wireshark on client and capture tcp/ftp and attach here.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: