ASA FTP config using PAT

Posted on 2007-03-19
Medium Priority
Last Modified: 2008-11-08
PIX ASA FTP configuration for a PAT config. I can't seem to figure out if I should use ASDM for this and how. Can someone provide a ASA sample config for FTP access from all outside users. What should the STATIC command look like if I'm doing PAT and not static NAT (1 to 1) for teh FTP server? Where do I specify the internal address of my FTP server. I have inpsect ftp enabled (as its on by default).

Question by:murphymail
LVL 28

Expert Comment

ID: 18754054
It will look like this:

static (dmz,outside) tcp interface 21 <real_ip_address> 21 netmask

This assumes your ftp server is on an interface named "dmz", that you want to use the firewall's public interface IP address for PAT, and that <real_ip_address> is the internal IP address of your ftp server.

Of course, you'll also need the appropriate ACL applied to the outside interface to allow the traffic through, like this:

access-list acl_outside_in permit tcp any host <public_ip_of_firewall> eq ftp
access-group acl_outside_in in interface outside
LVL 32

Accepted Solution

rsivanandan earned 1500 total points
ID: 18756089
I guess the acl needs a small change;

>>access-list acl_outside_in permit tcp any host <public_ip_of_firewall> eq ftp

access-list acl_outside_in permit tcp any interface outside eq ftp

Or if you're doing the port forward using another ip address other than the one assigned on the outside interface, the syntax remains the same;

static (inside,outside) tcp <PublicIP> 21 <real_ip_address> 21 netmask

access-list acl_outside_in permit tcp any host <PublicIP> eq ftp
access-group acl_outside_in in interface outside


Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
In this article, we’ll look at how to deploy ProxySQL.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question