FTP Services on ASA 5505
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||
|
Posted by KEN on August 20, 2008, 5:14 pm
Please log in for more thread options So this is my configuration for an ASA 5505. I set up VPN, SMTP, and WWW. VPN and SMTP work now I need the FTP access to work. Its a pretty simple config just need FTP incoming. I really am having a hard time figuring it out. Any ideas: ! interface Vlan1 nameif inside security-level 100 ip address 192.168.101.1 255.255.255.0 ospf cost 10 ! interface Vlan2 nameif outside security-level 0 ip address 66.***.***.***255.255.255.248 ospf cost 10 ! interface Vlan3 no forward interface Vlan1 nameif dmz security-level 50 no ip address ospf cost 10 ! passwd ********** encrypted ftp mode passive clock timezone MST -7 clock summer-time MDT recurring dns server-group DefaultDNS domain-name *******.com object-group service test tcp port-object range 1 65000 access-list outside_access_in extended permit tcp any host 66.***.***.*** eq https access-list outside_access_in remark Allow website access access-list outside_access_in extended permit tcp any host 66.***.***.*** eq www access-list outside_access_in extended permit tcp any host 66.***.***.*** eq 4125 access-list outside_access_in extended permit tcp any host 66.***.***.*** eq 3389 access-list outside_access_in extended permit tcp any host **** eq 3389 access-list outside_access_in extended permit tcp any host 66.***.***.*** eq pptp access-list outside_access_in extended permit tcp any host **** eq 3389 access-list outside_access_in extended permit tcp any host 66.***.***.*** eq smtp access-list outside_access_in extended permit ip any host 66.244.240.165 access-list outside_access_in extended permit tcp any host 66.244.240.165 eq ftp access-list outside_access_in extended permit tcp any host 66.244.240.165 eq ftp-data access-list outside_access_in extended permit icmp any any access-list inside_access_out remark Allow all outbound access-list inside_access_out extended permit ip any any access-list inside_access_out extended permit tcp any object-group test any pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 asdm image disk0:/asdm-521.bin no asdm history enable arp timeout 14400 global (inside) 1 Geotech3 netmask 255.255.255.0 global (outside) 10 interface nat (inside) 10 192.168.101.0 255.255.255.0 static (inside,outside) 66.***.***.*** ServerName netmask 255.255.255.255 static (inside,outside) 66.***.***.*** GCSSBSDEN-01 netmask 255.255.255.255 static (inside,outside) 66.224.240.165 Geotech3 netmask 255.255.255.255 access-group inside_access_out in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 66.224.240.161 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable http 192.168.155.0 255.255.255.0 inside http 192.168.101.0 255.255.255.0 inside http GGT 255.255.255.255 outside http GGT2 255.255.255.255 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto isakmp nat-traversal 20 telnet 192.168.101.0 255.255.255.0 inside telnet timeout 5 ssh 192.168.101.0 255.255.255.0 inside ssh GGT 255.255.255.255 outside ssh GGT2 255.255.255.255 outside ssh timeout 5 | ||||||||||||||||
|
Posted by Scott Perry on August 21, 2008, 10:50 am
Please log in for more thread options This might have to do with the FTP mode being used. Active mode FTP and passive mode FTP are the choices. The access-list allows the inbound FTP connection but you probably do not need the access-list entry for FTP-data. Try this command: no ftp mode passive Also consider adding the fixup FTP command or the inspect FTP command in the global policy. ----- Scott Perry Indianapolis, IN ----- KEN wrote: | ||||||||||||||||
| Similar Threads | Posted |
| FTP Services on ASA 5505 | August 20, 2008, 5:14 pm |
| CatOS for Catalyst 5505 | October 26, 2006, 3:17 pm |
| CCNA Wan services | February 19, 2007, 4:07 pm |
| Internet Information Services | July 26, 2007, 3:04 am |
| Remote Install Services and Cisco 3524XL | June 29, 2006, 12:26 pm |
>
> I set up VPN, SMTP, and WWW.
>
> VPN and SMTP work now I need the FTP access to work. Its a pretty
> simple config just need FTP incoming. I really am having a hard time
> figuring it out.
>
> Any ideas:
>
>
> !
> interface Vlan1
> nameif inside
> security-level 100
> ip address 192.168.101.1 255.255.255.0
> ospf cost 10
> !
> interface Vlan2
> nameif outside
> security-level 0
> ip address 66.***.***.***255.255.255.248
> ospf cost 10
> !
> interface Vlan3
> no forward interface Vlan1
> nameif dmz
> security-level 50
> no ip address
> ospf cost 10
> !
> passwd ********** encrypted
> ftp mode passive
> clock timezone MST -7
> clock summer-time MDT recurring
> dns server-group DefaultDNS
> domain-name *******.com
> object-group service test tcp
> port-object range 1 65000
> access-list outside_access_in extended permit tcp any host
> 66.***.***.*** eq https
> access-list outside_access_in remark Allow website access
> access-list outside_access_in extended permit tcp any host
> 66.***.***.*** eq www
> access-list outside_access_in extended permit tcp any host
> 66.***.***.*** eq 4125
> access-list outside_access_in extended permit tcp any host
> 66.***.***.*** eq 3389
> access-list outside_access_in extended permit tcp any host **** eq
> 3389
> access-list outside_access_in extended permit tcp any host
> 66.***.***.*** eq pptp
> access-list outside_access_in extended permit tcp any host **** eq
> 3389
> access-list outside_access_in extended permit tcp any host
> 66.***.***.*** eq smtp
> access-list outside_access_in extended permit ip any host
> 66.244.240.165
> access-list outside_access_in extended permit tcp any host
> 66.244.240.165 eq ftp
> access-list outside_access_in extended permit tcp any host
> 66.244.240.165 eq ftp-data
> access-list outside_access_in extended permit icmp any any
> access-list inside_access_out remark Allow all outbound
> access-list inside_access_out extended permit ip any any
> access-list inside_access_out extended permit tcp any object-group
> test any
> pager lines 24
> logging enable
> logging asdm informational
> mtu inside 1500
> mtu outside 1500
> mtu dmz 1500
> asdm image disk0:/asdm-521.bin
> no asdm history enable
> arp timeout 14400
> global (inside) 1 Geotech3 netmask 255.255.255.0
> global (outside) 10 interface
> nat (inside) 10 192.168.101.0 255.255.255.0
> static (inside,outside) 66.***.***.*** ServerName netmask
> 255.255.255.255
> static (inside,outside) 66.***.***.*** GCSSBSDEN-01 netmask
> 255.255.255.255
> static (inside,outside) 66.224.240.165 Geotech3 netmask
> 255.255.255.255
> access-group inside_access_out in interface inside
> access-group outside_access_in in interface outside
> route outside 0.0.0.0 0.0.0.0 66.224.240.161 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
> disconnect 0:02:00
> timeout uauth 0:05:00 absolute
> http server enable
> http 192.168.155.0 255.255.255.0 inside
> http 192.168.101.0 255.255.255.0 inside
> http GGT 255.255.255.255 outside
> http GGT2 255.255.255.255 outside
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto isakmp nat-traversal 20
> telnet 192.168.101.0 255.255.255.0 inside
> telnet timeout 5
> ssh 192.168.101.0 255.255.255.0 inside
> ssh GGT 255.255.255.255 outside
> ssh GGT2 255.255.255.255 outside
> ssh timeout 5
>
>