ASA 5510, FTP server behind a firewall - default gateway problem

I have a server that is connected to the web via an ASA (inside 10.1.1.10 outside 10.2.1.10)  then a 3560. In order to create an external ftp connection I have to set the default gw of the server to the inside interface of the firewall (eg 10.1.1.8 instead of router 10.1.1.3). However I am then unable to remotely connect to the server from another site (on the same network as the server - 10.1.2.x). Is there any way I can get round this with a static route or something in the switch?
tarn01Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

batry_boyCommented:
>>However I am then unable to remotely connect to the server from another site (on the same network as the server - 10.1.2.x).

What do you mean by "from another site" if that other site is "on the same network as the server - 10.1.2.x"?

Could you post a simple network diagram to show what you are talking about?  This will make it easier to analyze and come up with a solution.
0
tarn01Author Commented:
Sorry it wasn't very clear.

Site A holds all the equipment. Access to the internet is needed for a ftp server also access has been granted to various devices for support staff.
Site B needs to be able to remotely control the devices at Site A and Site C needs to be able to support/configure the devices at site A.

with the default GWs of the devices at Site A set to 10.1.1.3 I can access the devices from the sites but not the internet. With the default GW set to 10.1.1.8 (firewall) I can access the devices from the internet but not from sites B & C.


Network.doc
0
batry_boyCommented:
What is the default route on the router at site A?  It should be the ASA inside interface.  If it's not, I would change it's default route to point to 10.1.1.8.  Then every other device on site A's network (10.1.1.x, including the ftp server), can point to 10.1.1.3 as their default gateway and they should be able to get to the Internet and send traffic to the other sites.

I would probably also look at the entire routing table on the site A router to see what the routes look like for the other sites B & C...don't want to accidentally make a change that cuts off connectivity to sites B & C.  This could happen if, say for example, the current default route on the site A router is set to the MPLS connection.
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

ngravattCommented:
you should put in static routes for the sites and then put in a default route the points all other traffic to the Internet.  

if the ASA is your default gateway, then do something like this on it:

ip route 10.1.0.0 255.255.0.0 10.1.1.3
ip route 0.0.0.0 0.0.0.0 x.x.x.x   (where x.x.x.x = ip of internet gateway)

you could also use the 3560 as a router.
0
batry_boyCommented:
Actually, I'm sure you already have a default route on the ASA pointing to your Internet gateway since your Internet traffic seems to be flowing OK.

Also, the route command syntax on the ASA is different from a router, which is what ngravatt mentioned above.  The correct syntax is:

route <interface_name> <destination_network> <destination_netmask> <gateway>

So, the above routes would become:

route inside 10.1.0.0 255.255.0.0 10.1.1.3
route outside 0.0.0.0 0.0.0.0 x.x.x.x

You can put in the "route inside 10.1.0.0 255.255.0.0 10.1.1.3" route above, but I don't think this will solve your problem as you describe it since the traffic from the clients on the 10.1.0.0 network getting back to sites B and C seems to be the issue.  Have you tried my previous suggestion above yet?
0
tarn01Author Commented:
Unfortunately the routers belong to the service providers of the MPLS network, so I'm unable to ammend them myself. Change requests take for ever to go through.. I was hoping to isolate the site traffic on the firewall or switches
0
batry_boyCommented:
You could configure your own router on the 3560 since it's a layer 3 switch.  You could then make your hosts on the 10.1.1.x network point to the 3560 as their default gateway like I mentioned in a previous post, and make a static route on the 3560 that points to the 10.1.1.3 router for traffic going to networks 10.1.2.0/24 and 10.1.3.0/24.

You would then make the default route on the 3560 be the ASA inside interface.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Server Software

From novice to tech pro — start learning today.