Solved

Asa 5505 ftp port forwarding

Posted on 2008-10-05
5
1,948 Views
Last Modified: 2013-12-02
I have a Cisco asa 5505 that will be connected to a T1. Please advise how to port forward ftp. Also, not sure if I have to use our public ip for the outside interface or create a network between the asa and the T1 hand off. Help!
0
Comment
Question by:progonosko
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 7

Expert Comment

by:naughton
ID: 22648437
the T1 would most likely be the outside IP.  you would create a small subnet between the T1 Router and the ASA- i.e. a 10.10.10.0/30  
the t1 being 10.10.10.1 255.255.255.252
the outside ASA being 10.10.10.2 255.255.255.252
unless the T1 requires PPPOE authentication.

you would forward ftp traffic on ports 20 and 21 to 10.10.10.2 if using the 1st method.

if PPPOE or PPPOA then the port forward is not required, and the configuration is simpler.

on the ASA, you must permit the traffic from outside to inside using an access list, and then apply this to the outside interface.  you will also need a static nat statement for both port 20 and 21 as to the destination ip address on the inside network.

first - names:

name insideIP servername

then access list:
access-list ACLIN extended permit tcp any host 10.10.10.10 eq ftp
access-list ACLIN extended permit tcp any host 10.10.10.10 eq ftp-data

the static NAT
static (inside,outside) outsideIP ServerName netmask 255.255.255.255

0
 
LVL 7

Expert Comment

by:naughton
ID: 22648442
apply the acl to the interface

access-group ACLIN in interface outside

ensure you have the route set

route outside 0.0.0.0 0.0.0.0 next_hop_router 1
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 250 total points
ID: 22648465


I would configure a public address for the ASA outside interface, otherwise you will need to do NAT on the device that terminates the T-1.
To port forward on the ASA do the following;

nat-control
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 <inside_network> 255.255.255.0   (/24 assumed)
access-list NONAT <add entries here to prevent NAT'ng, i.e VPN traffic>

static (inside,outside) tcp interface ftp <inside_IP> ftp netmask 255.255.255.255
access-list outside permit tcp <source_address_for FTP> <mask> host <outside_ip_of_ftp_server> eq ftp

harbor235 ;}
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22649405

Use passive FTP and you only need the one port opened

Add this to your config.

ftp mode passive

harbor235 ;}
0
 

Author Closing Comment

by:progonosko
ID: 31503253
Thanks!
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question