• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1964
  • Last Modified:

Asa 5505 ftp port forwarding

I have a Cisco asa 5505 that will be connected to a T1. Please advise how to port forward ftp. Also, not sure if I have to use our public ip for the outside interface or create a network between the asa and the T1 hand off. Help!
0
progonosko
Asked:
progonosko
  • 2
  • 2
1 Solution
 
naughtonCommented:
the T1 would most likely be the outside IP.  you would create a small subnet between the T1 Router and the ASA- i.e. a 10.10.10.0/30  
the t1 being 10.10.10.1 255.255.255.252
the outside ASA being 10.10.10.2 255.255.255.252
unless the T1 requires PPPOE authentication.

you would forward ftp traffic on ports 20 and 21 to 10.10.10.2 if using the 1st method.

if PPPOE or PPPOA then the port forward is not required, and the configuration is simpler.

on the ASA, you must permit the traffic from outside to inside using an access list, and then apply this to the outside interface.  you will also need a static nat statement for both port 20 and 21 as to the destination ip address on the inside network.

first - names:

name insideIP servername

then access list:
access-list ACLIN extended permit tcp any host 10.10.10.10 eq ftp
access-list ACLIN extended permit tcp any host 10.10.10.10 eq ftp-data

the static NAT
static (inside,outside) outsideIP ServerName netmask 255.255.255.255

0
 
naughtonCommented:
apply the acl to the interface

access-group ACLIN in interface outside

ensure you have the route set

route outside 0.0.0.0 0.0.0.0 next_hop_router 1
0
 
harbor235Commented:


I would configure a public address for the ASA outside interface, otherwise you will need to do NAT on the device that terminates the T-1.
To port forward on the ASA do the following;

nat-control
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 <inside_network> 255.255.255.0   (/24 assumed)
access-list NONAT <add entries here to prevent NAT'ng, i.e VPN traffic>

static (inside,outside) tcp interface ftp <inside_IP> ftp netmask 255.255.255.255
access-list outside permit tcp <source_address_for FTP> <mask> host <outside_ip_of_ftp_server> eq ftp

harbor235 ;}
0
 
harbor235Commented:

Use passive FTP and you only need the one port opened

Add this to your config.

ftp mode passive

harbor235 ;}
0
 
progonoskoAuthor Commented:
Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now