Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Asa 5505 ftp port forwarding

Posted on 2008-10-05
5
Medium Priority
?
1,956 Views
Last Modified: 2013-12-02
I have a Cisco asa 5505 that will be connected to a T1. Please advise how to port forward ftp. Also, not sure if I have to use our public ip for the outside interface or create a network between the asa and the T1 hand off. Help!
0
Comment
Question by:progonosko
  • 2
  • 2
5 Comments
 
LVL 7

Expert Comment

by:naughton
ID: 22648437
the T1 would most likely be the outside IP.  you would create a small subnet between the T1 Router and the ASA- i.e. a 10.10.10.0/30  
the t1 being 10.10.10.1 255.255.255.252
the outside ASA being 10.10.10.2 255.255.255.252
unless the T1 requires PPPOE authentication.

you would forward ftp traffic on ports 20 and 21 to 10.10.10.2 if using the 1st method.

if PPPOE or PPPOA then the port forward is not required, and the configuration is simpler.

on the ASA, you must permit the traffic from outside to inside using an access list, and then apply this to the outside interface.  you will also need a static nat statement for both port 20 and 21 as to the destination ip address on the inside network.

first - names:

name insideIP servername

then access list:
access-list ACLIN extended permit tcp any host 10.10.10.10 eq ftp
access-list ACLIN extended permit tcp any host 10.10.10.10 eq ftp-data

the static NAT
static (inside,outside) outsideIP ServerName netmask 255.255.255.255

0
 
LVL 7

Expert Comment

by:naughton
ID: 22648442
apply the acl to the interface

access-group ACLIN in interface outside

ensure you have the route set

route outside 0.0.0.0 0.0.0.0 next_hop_router 1
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 1000 total points
ID: 22648465


I would configure a public address for the ASA outside interface, otherwise you will need to do NAT on the device that terminates the T-1.
To port forward on the ASA do the following;

nat-control
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 <inside_network> 255.255.255.0   (/24 assumed)
access-list NONAT <add entries here to prevent NAT'ng, i.e VPN traffic>

static (inside,outside) tcp interface ftp <inside_IP> ftp netmask 255.255.255.255
access-list outside permit tcp <source_address_for FTP> <mask> host <outside_ip_of_ftp_server> eq ftp

harbor235 ;}
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22649405

Use passive FTP and you only need the one port opened

Add this to your config.

ftp mode passive

harbor235 ;}
0
 

Author Closing Comment

by:progonosko
ID: 31503253
Thanks!
0

Featured Post

WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month10 days, 16 hours left to enroll

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question