tarn01
asked on
ASA 5510, FTP server behind a firewall - default gateway problem
I have a server that is connected to the web via an ASA (inside 10.1.1.10 outside 10.2.1.10) then a 3560. In order to create an external ftp connection I have to set the default gw of the server to the inside interface of the firewall (eg 10.1.1.8 instead of router 10.1.1.3). However I am then unable to remotely connect to the server from another site (on the same network as the server - 10.1.2.x). Is there any way I can get round this with a static route or something in the switch?
ASKER
Sorry it wasn't very clear.
Site A holds all the equipment. Access to the internet is needed for a ftp server also access has been granted to various devices for support staff.
Site B needs to be able to remotely control the devices at Site A and Site C needs to be able to support/configure the devices at site A.
with the default GWs of the devices at Site A set to 10.1.1.3 I can access the devices from the sites but not the internet. With the default GW set to 10.1.1.8 (firewall) I can access the devices from the internet but not from sites B & C.
Network.doc
Site A holds all the equipment. Access to the internet is needed for a ftp server also access has been granted to various devices for support staff.
Site B needs to be able to remotely control the devices at Site A and Site C needs to be able to support/configure the devices at site A.
with the default GWs of the devices at Site A set to 10.1.1.3 I can access the devices from the sites but not the internet. With the default GW set to 10.1.1.8 (firewall) I can access the devices from the internet but not from sites B & C.
Network.doc
What is the default route on the router at site A? It should be the ASA inside interface. If it's not, I would change it's default route to point to 10.1.1.8. Then every other device on site A's network (10.1.1.x, including the ftp server), can point to 10.1.1.3 as their default gateway and they should be able to get to the Internet and send traffic to the other sites.
I would probably also look at the entire routing table on the site A router to see what the routes look like for the other sites B & C...don't want to accidentally make a change that cuts off connectivity to sites B & C. This could happen if, say for example, the current default route on the site A router is set to the MPLS connection.
I would probably also look at the entire routing table on the site A router to see what the routes look like for the other sites B & C...don't want to accidentally make a change that cuts off connectivity to sites B & C. This could happen if, say for example, the current default route on the site A router is set to the MPLS connection.
you should put in static routes for the sites and then put in a default route the points all other traffic to the Internet.
if the ASA is your default gateway, then do something like this on it:
ip route 10.1.0.0 255.255.0.0 10.1.1.3
ip route 0.0.0.0 0.0.0.0 x.x.x.x (where x.x.x.x = ip of internet gateway)
you could also use the 3560 as a router.
if the ASA is your default gateway, then do something like this on it:
ip route 10.1.0.0 255.255.0.0 10.1.1.3
ip route 0.0.0.0 0.0.0.0 x.x.x.x (where x.x.x.x = ip of internet gateway)
you could also use the 3560 as a router.
Actually, I'm sure you already have a default route on the ASA pointing to your Internet gateway since your Internet traffic seems to be flowing OK.
Also, the route command syntax on the ASA is different from a router, which is what ngravatt mentioned above. The correct syntax is:
route <interface_name> <destination_network> <destination_netmask> <gateway>
So, the above routes would become:
route inside 10.1.0.0 255.255.0.0 10.1.1.3
route outside 0.0.0.0 0.0.0.0 x.x.x.x
You can put in the "route inside 10.1.0.0 255.255.0.0 10.1.1.3" route above, but I don't think this will solve your problem as you describe it since the traffic from the clients on the 10.1.0.0 network getting back to sites B and C seems to be the issue. Have you tried my previous suggestion above yet?
Also, the route command syntax on the ASA is different from a router, which is what ngravatt mentioned above. The correct syntax is:
route <interface_name> <destination_network> <destination_netmask> <gateway>
So, the above routes would become:
route inside 10.1.0.0 255.255.0.0 10.1.1.3
route outside 0.0.0.0 0.0.0.0 x.x.x.x
You can put in the "route inside 10.1.0.0 255.255.0.0 10.1.1.3" route above, but I don't think this will solve your problem as you describe it since the traffic from the clients on the 10.1.0.0 network getting back to sites B and C seems to be the issue. Have you tried my previous suggestion above yet?
ASKER
Unfortunately the routers belong to the service providers of the MPLS network, so I'm unable to ammend them myself. Change requests take for ever to go through.. I was hoping to isolate the site traffic on the firewall or switches
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What do you mean by "from another site" if that other site is "on the same network as the server - 10.1.2.x"?
Could you post a simple network diagram to show what you are talking about? This will make it easier to analyze and come up with a solution.