Solved

Asa 5505 ftp port forwarding

Posted on 2008-10-05
5
1,938 Views
Last Modified: 2013-12-02
I have a Cisco asa 5505 that will be connected to a T1. Please advise how to port forward ftp. Also, not sure if I have to use our public ip for the outside interface or create a network between the asa and the T1 hand off. Help!
0
Comment
Question by:progonosko
  • 2
  • 2
5 Comments
 
LVL 7

Expert Comment

by:naughton
Comment Utility
the T1 would most likely be the outside IP.  you would create a small subnet between the T1 Router and the ASA- i.e. a 10.10.10.0/30  
the t1 being 10.10.10.1 255.255.255.252
the outside ASA being 10.10.10.2 255.255.255.252
unless the T1 requires PPPOE authentication.

you would forward ftp traffic on ports 20 and 21 to 10.10.10.2 if using the 1st method.

if PPPOE or PPPOA then the port forward is not required, and the configuration is simpler.

on the ASA, you must permit the traffic from outside to inside using an access list, and then apply this to the outside interface.  you will also need a static nat statement for both port 20 and 21 as to the destination ip address on the inside network.

first - names:

name insideIP servername

then access list:
access-list ACLIN extended permit tcp any host 10.10.10.10 eq ftp
access-list ACLIN extended permit tcp any host 10.10.10.10 eq ftp-data

the static NAT
static (inside,outside) outsideIP ServerName netmask 255.255.255.255

0
 
LVL 7

Expert Comment

by:naughton
Comment Utility
apply the acl to the interface

access-group ACLIN in interface outside

ensure you have the route set

route outside 0.0.0.0 0.0.0.0 next_hop_router 1
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 250 total points
Comment Utility


I would configure a public address for the ASA outside interface, otherwise you will need to do NAT on the device that terminates the T-1.
To port forward on the ASA do the following;

nat-control
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 <inside_network> 255.255.255.0   (/24 assumed)
access-list NONAT <add entries here to prevent NAT'ng, i.e VPN traffic>

static (inside,outside) tcp interface ftp <inside_IP> ftp netmask 255.255.255.255
access-list outside permit tcp <source_address_for FTP> <mask> host <outside_ip_of_ftp_server> eq ftp

harbor235 ;}
0
 
LVL 32

Expert Comment

by:harbor235
Comment Utility

Use passive FTP and you only need the one port opened

Add this to your config.

ftp mode passive

harbor235 ;}
0
 

Author Closing Comment

by:progonosko
Comment Utility
Thanks!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now