1. Home
  2. Cisco Systems
  3. ftp in dmz

ftp in dmz

Hi All,

I am fairly certain this is something that happens all the time and a very easy thing to do for most. I have never set up a dmz and am not the best at pix. I have an asa 5510 and I am trying to setup a ftp server in the dmz that i can reach from inside and outside(neither works as of now). I have done the following:

access-list outside_access_in extended permit tcp any host eq ftp

access-list DMZ1_access_in extended permit tcp host 192.168.60.15

192.168.9.0 255.255.255.0 eq ftp

global (outside) 1 interface nat (outside) 0 access-list outside_nat0_inbound outside nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0

static (DMZ1,outside) 192.168.60.10 netmask 255.255.255.255 static (DMZ1,outside) 192.168.60.15 netmask 255.255.255.255 static (inside,DMZ1) 192.168.9.0 192.168.9.0 netmask 255.255.255.0 access-group outside_access_in in interface outside access-group DMZ1_access_in in interface DMZ1

The ftp host private ip in the dmz is 192.168.60.15. Private hosts inside reside on 192.168.9.0.

When I view the live log, I do not see any errors, just the following when i attempt a connection from the inside:

6|Jan 05 2007 09:53:39|302014: Teardown TCP connection 67046549 for DMZ1:192.168.60.15/21 to inside:192.168.9.75/1420 duration 0:00:30 bytes 0 SYN Timeout 6|Jan 05 2007 09:53:30|302013: Built outbound TCP connection 67046634 for DMZ1:192.168.60.15/21 (192.168.60.15/21) to inside:192.168.9.75/1421 (192.168.9.75/1421) 6|Jan 05 2007 09:53:08|302013: Built outbound TCP connection 67046549 for DMZ1:192.168.60.15/21 (192.168.60.15/21) to inside:192.168.9.75/1420 (192.168.9.75/1420) 6|Jan 05 2007 09:53:08|302014: Teardown TCP connection 67046336 for DMZ1:192.168.60.15/21 to inside:192.168.9.75/1419 duration 0:00:30 bytes 0 SYN Timeout

I do not have any egress filtering (no acl on my inside int). The asa has the necessary inspect ftp command.

Can someone please help?

TIA,

R
Reply to
rhltechie
Loading thread data ...

Hi,

It seems to me that you are not letting the traffic back out of your DMZ.

This ACL says allow traffic from your mail server to your network destined for FTP port. Won't the source port be FTP for the return traffic and thus should read something like:

access-list DMZ1_access_in extended permit tcp host 192.168.60.15 eq ftp

192.168.9.0 255.255.255.0

This would be why you are getting timeouts, no return traffic is coming back. Hope this helps.

Reply to
K.J. 44

thank you for your reply.

I thought the same and tried it like this first, with the src port being ftp, but i get the same response and same messages in the log.

K.J. 44 wrote:

Reply to
rhltechie

snip

It is difficult to see if any other part of your config may be affecting what you are trying to achieve here.

Just out of curiosity - if you have an ASA then you have access to the ASDM software tool. On the GUI you have the option to simulate traffic passing between interfaces based on a number of criteria that you can set - it's very straightforward.

As you run the packet flow simulation the ASA will tell you if the packet will be accepted or rejected on the various criteria - NAT, Access-List etc that you have defined in your config. At the point it fails you can click to find out where it failed making troubleshooting much easier.

HTH.

Regards

Darren

Reply to
Darren Green

255.255.255.0 eq ftp

You cannot static the same public IP to two different internal addresses, not unless you add in [different] port restrictions.

Also, if is the same as the outside interface of your ASA (or PIX), then you must use port restrictions.

For the ASA, that would look like,

static (DMZ1,outside) tcp ftp 192.168.60.15 ftp netmask

255.255.255.255

For PIX 6.3, it would look like,

static (DMZ1,outside) tcp interface ftp 192.168.60.15 ftp netmask 255.255.255.255

You only need to static (inside,DMZ1) if you need DMZ1 to be able to initiate connections to inside (but then why bother with a DMZ?), or if it is important on the DMZ device to be able to figure out exactly which inside device is connecting (e.g., for logs or differential access purposes.)

An access-group applied "in" interface DMZ1 controls the locations that DMZ1 is able to initiate connections to. Unless you need your ftp server to be able to initiate ftp sessions to inside, get rid of that.

Either there is something -very- wrong with your systems or else your log outputs events in reverse chronological order.

Reply to
Walter Roberson

Hi Darren,

I have never seen this or used it in the asdm, can you tell me how to get to it? i have looked through the asdm and see nothing of the sort.

Thanks

Darren Green wrote:

Reply to
rhltechie

thanks for all the help guys...i figured out my issue. something lame...the friggin xp firewall was on preventing me from using ftp..or anything else for that matter.

Walter Robers> >

255.255.255.0 eq ftp
255.255.255.255
Reply to
rhltechie

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.