ASA5510 - How to allow access to ftp site over internet from just one client

I have an FTP site that is only accessed via a large private WAN that interconnects most of the hospitals and clinics in our area.  We now have a client in Alaska (I'm in Washington) that is not on this private WAN, but I need to give them access to our FTP site without making it completely public.  Site to Site VPN is not an option, nor is a client based VPN unless there is a way to have it always on.

I have the outside ip address of their gateway, so I am wondering if I can assign my FTP site an outside ip address that can only be accessed by their gateway ip address, and maybe put it on some obscure port.  Is this possible?  Thanks!

Mark
cansibAsked:
Who is Participating?
 
Pete LongTechnical ConsultantCommented:
You must have an IP address that they can see? be that either your public IP on the outside interface or a spare public IP address,
Option 1 use your existing outside IP and port forward FTP
name 192.168.1.10 myFTPsite
name MY-Remote-FTP-person 999.999.999.999
access-list inbound extended permit tcp host MY-Remote-FTP-person interface outside eq ftp
access-group inbound in interface outside
static (inside,outside) tcp interface ftp myFTPsite ftp netmask 255.255.255.255
Option 2 use a spare public IP address (123.123.123.123)
name 192.168.1.10 myFTPsite-internal
name 123.123.123.123 myFTPsite-external
name MY-Remote-FTP-person 999.999.999.999
access-list inbound extended permit tcp host MY-Remote-FTP-person host myFTPsite-externaleq ftp
access-group inbound in interface outside
static (inside,outside) myFTPsite-external myFTPsite-internal netmask 255.255.255.255
 
After each issuse a clear xlate command, and save your hard work with a write mem command :)
0
 
rsivanandanCommented:
>>I have the outside ip address of their gateway, so I am wondering if I can assign my FTP site an outside ip address that can only be accessed by their gateway ip address, and maybe put it on some obscure port.  Is this possible?  Thanks!

Yes, you can do this without issues (just make sure with the client that they nat out using that ip when they get out to internet). Then when you do the static nat/port forwarding (with some obscure port would be a good idea). have an access-list allow access to that port only from their gateway ip. Done.

Cheers,
rsivanandan
0
 
cansibAuthor Commented:
Hi,

So does this look like it should work?

name <my-inside-ip> inside-ftp-site
name <client-outside-ip> Client-forFTP
name <outside-ip-for-my-ftp-site> FTP-External description FTP site external address
object-group service FTP2 tcp
 description FTP for outside access
 port-object eq <some-obscure-port>
access-list outside extended permit tcp host <client-outside-ip> host <outside-ip-for-my-ftp-site> object-group FTP2
static (inside,outside) tcp <outside-ip-for-my-ftp-site> FTP2 <my-inside-ip> ftp netmask 255.255.255.255
0
 
rsivanandanCommented:
Yes.

Cheers,
rsivanandan
0
 
cansibAuthor Commented:
Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.