Solved

Asa 5505 ftp port forwarding

Posted on 2008-10-05
5
1,940 Views
Last Modified: 2013-12-02
I have a Cisco asa 5505 that will be connected to a T1. Please advise how to port forward ftp. Also, not sure if I have to use our public ip for the outside interface or create a network between the asa and the T1 hand off. Help!
0
Comment
Question by:progonosko
  • 2
  • 2
5 Comments
 
LVL 7

Expert Comment

by:naughton
ID: 22648437
the T1 would most likely be the outside IP.  you would create a small subnet between the T1 Router and the ASA- i.e. a 10.10.10.0/30  
the t1 being 10.10.10.1 255.255.255.252
the outside ASA being 10.10.10.2 255.255.255.252
unless the T1 requires PPPOE authentication.

you would forward ftp traffic on ports 20 and 21 to 10.10.10.2 if using the 1st method.

if PPPOE or PPPOA then the port forward is not required, and the configuration is simpler.

on the ASA, you must permit the traffic from outside to inside using an access list, and then apply this to the outside interface.  you will also need a static nat statement for both port 20 and 21 as to the destination ip address on the inside network.

first - names:

name insideIP servername

then access list:
access-list ACLIN extended permit tcp any host 10.10.10.10 eq ftp
access-list ACLIN extended permit tcp any host 10.10.10.10 eq ftp-data

the static NAT
static (inside,outside) outsideIP ServerName netmask 255.255.255.255

0
 
LVL 7

Expert Comment

by:naughton
ID: 22648442
apply the acl to the interface

access-group ACLIN in interface outside

ensure you have the route set

route outside 0.0.0.0 0.0.0.0 next_hop_router 1
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 250 total points
ID: 22648465


I would configure a public address for the ASA outside interface, otherwise you will need to do NAT on the device that terminates the T-1.
To port forward on the ASA do the following;

nat-control
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 <inside_network> 255.255.255.0   (/24 assumed)
access-list NONAT <add entries here to prevent NAT'ng, i.e VPN traffic>

static (inside,outside) tcp interface ftp <inside_IP> ftp netmask 255.255.255.255
access-list outside permit tcp <source_address_for FTP> <mask> host <outside_ip_of_ftp_server> eq ftp

harbor235 ;}
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22649405

Use passive FTP and you only need the one port opened

Add this to your config.

ftp mode passive

harbor235 ;}
0
 

Author Closing Comment

by:progonosko
ID: 31503253
Thanks!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
cisco ubr7200 problem with  interface Wideband-Cable 1 36
Enabling vNIC failover on a live system 3 77
stacking Catalyst 3650 20 35
Cisco Prime and Maps 3 32
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
Concerto provides fully managed cloud services and the expertise to provide an easy and reliable route to the cloud. Our best-in-class solutions help you address the toughest IT challenges, find new efficiencies and deliver the best application expe…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now