Solved

DMZ setup on ASA 5505

Posted on 2011-09-15
55
2,116 Views
Last Modified: 2012-06-27
Hi everyone,

I have some problems setting up the DMZ on my cisco ASA 5505.
I have had some cisco cli commands, but acl's are too complicated for me at this point. I would like to administer the device through the GUI and then learn the cli commands that are linked to them or the other way around..

Currently all of my servers are in the LAN. I want to put the FTP-server in the DMZ for safety issues. I have already tried pinging the DMZ but I couldn't do this. Even after some testing with ACL and NAT.

I hope you can help me to get this DMZ-zone working.
I would like to do the following:
    * FTP-server in the DMZ so that port 21 can be accessed from the outside and inside.
    * FTP-server can be accessed through RDP in the DMZ. Directly from the outside and
      inside.
    * The FTP-server also hosts some files which are needed access on the LAN.I think I need
       to open ports: SMB ports 135 - 139 (TCP and UDP) and NetBIOS port 445 (TCP and
       UDP)  towards the DMZ from the LAN?

That is pretty much it. I have enclosed the config that I am running now.
I hope you can help me.

Thanks in advance!
config.txt
0
Comment
Question by:Silencer001
  • 28
  • 23
  • 3
  • +1
55 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Quick question first: are you using the basic version of the OS?
0
 

Author Comment

by:Silencer001
Comment Utility
What exactly do you mean? I am using Cisco ADSM 6.4 for ASA.
I have the SEC-BUN-K9 Firewall Edition Bundle..

I hope this answers your question. Sorry for the inconvenience.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
First we'll need:
static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 as discussed in your previous question so when hosts from the LAN access the DMZ their addresses will be translated back on to them selves.
After that you'll need to set up the access lists to allow traffic. I would get rid of: access-list inside_access_in extended permit icmp any any because now the only thing you can do from the LAN is ping (an access-list is always ended by an implicit 'deny all').

You'll have to change the static (inside,outside) tcp interface ftp FTP-server ftp netmask 255.255.255.255 when the server is moving to the DMZ: static (dmz,outside) tcp interface ftp FTP-server ftp netmask 255.255.255.255 and change the ip value of FTP-server accordingly.

Also some change to the dmz access list might be handy, depending on what you would like to allow through.

0
 
LVL 5

Expert Comment

by:CWCertus1
Comment Utility
Base License info:-

You will not be able to have more than 2 accessible physical interfaces on this as it only supports 2. You can have a third but only 1 of the other interfaces an access it i.e. DMZ can have internet access or LAN access.

If you have the security plus license, you can have more.

If you would like more info please see:-

http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/ifcs5505.pdf
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Ah, that means security plus. No problems there :)
0
 
LVL 17

Expert Comment

by:Garry-G
Comment Utility
Setting the "Enable traffic through the firewall without address translation" option will allow un-nated communication through the firewall, so can remove the same-address translation you configured (which actually isn't doing what you want - it provides connectivity of your INTERNAL network to the systems in your DMZ).
0
 

Author Comment

by:Silencer001
Comment Utility
@erniebeek: Thanks for your suggestions. I just changed this, but I am still not able to ping my DZM from my LAN. Is there anything else I need to adjust?

@Garry-G: I actually don't understand what you mean.. You mean by unthicking this box, there is no need of the nat-rules I have set-up for this device?

Thanks for your replies!
0
 
LVL 17

Expert Comment

by:Garry-G
Comment Utility
If you set the checkmark, it makes the NAT rules unnecessary for un-NATed hosts ... all you then need is the access rules ... (mainly from DMZ to Inside, if you still have the default active)
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Could you post a sanitized config so we can have a look (I'm just a CLI guy ;).
0
 

Author Comment

by:Silencer001
Comment Utility
What is the difference between a sanitized config and the config I provided? At this moment I only know how to generate that config, I'm sorry.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Sanitized just means you leave out any security sensitive information like public ip's, usernames, etc. By the looks of it the previous was safe enough :)
I just would like to see what the config is now.
0
 

Author Comment

by:Silencer001
Comment Utility
Ah ookkk. I copy pasted it from the current config and I pasted the content that is important for this. I hope I didn't look over some things.. Thanks again ;-)
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.10.10.1 255.0.0.0 
!
interface Vlan5
 nameif dmz
 security-level 50
 ip address 192.168.3.1 255.255.255.0 
!
ftp mode passive
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 18081
 port-object eq 3389
 port-object eq 4125
 port-object eq 987
 port-object eq ftp
 port-object eq www
 port-object eq https
 port-object eq imap4
 port-object eq pop3
 port-object eq pptp
 port-object eq smtp
 port-object eq ssh
 port-object eq 4210
 port-object eq 15000
 port-object eq 4203
 port-object eq 4205
object-group service Special
 description Zelf aangemaakte services
 service-object tcp eq 18081 
 service-object tcp eq 3389 
 service-object tcp eq 4125 
 service-object tcp eq 987 
 service-object tcp eq 4210 
 service-object tcp eq 4203 
 service-object tcp eq 4205 
 service-object tcp eq 15000 
access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_1 
access-list inside_access_in extended permit icmp any any

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp a2osbs smtp netmask 255.255.255.255 
static (inside,outside) tcp interface www a2osbs www netmask 255.255.255.255 
static (inside,outside) tcp interface ftp FTP-server ftp netmask 255.255.255.255 
static (inside,outside) tcp interface imap4 a2osbs imap4 netmask 255.255.255.255 
static (inside,outside) tcp interface 987 a2osbs 987 netmask 255.255.255.255 
static (inside,outside) tcp interface https a2osbs https netmask 255.255.255.255 
static (inside,outside) tcp interface pop3 a2osbs pop3 netmask 255.255.255.255 
static (inside,outside) tcp interface 4205 server-archx 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 4210 FTP-server 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 18081 server-archx 18081 netmask 255.255.255.255 
static (inside,outside) tcp interface 4125 a2osbs 4125 netmask 255.255.255.255 
static (inside,outside) tcp interface 15000 a2osbs 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 4203 Oude_Server 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface pptp a2osbs pptp netmask 255.255.255.255 
static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside

Open in new window

0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Ok, let's try:

no access-group inside_access_in in interface inside

And:

access-list dmz_access_in extended permit host 192.168.3.x any
access-group dmz_access_in in interface dmz

To see if we can get connectivity, 192.168.3.x is the address of the FTP server in the DMZ of course.

Oh, and:

no static (inside,outside) tcp interface ftp FTP-server ftp netmask 255.255.255.255
static (dmz,outside) tcp interface ftp 192.168.3.x ftp netmask 255.255.255.255

For the access from the outside.
0
 

Author Comment

by:Silencer001
Comment Utility
Thanks for the commands, but I get an error message on these commands:
access-list dmz_access_in extended permit host 192.168.3.x any
access-group dmz_access_in in interface dmz

I have enclosed a screenshot of the error.
error-message
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Aargh, my wrong. It should be:

access-list dmz_access_in extended permit ip host 192.168.3.x any
access-group dmz_access_in in interface dmz
0
 

Author Comment

by:Silencer001
Comment Utility
Thanks for this erniebeek.

I tried to ping from LAN to DMZ and the other way around but I am not able to get a response. Firewall on both devices are off and if they are both in the LAN then I get a response.

Thanks for your help, appreciate it! I hope we can get to a solution.
This is the new config:


interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.10.10.1 255.0.0.0 
!
interface Vlan5
 nameif dmz
 security-level 50
 ip address 192.168.3.1 255.255.255.0 
!
ftp mode passive
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 18081
 port-object eq 3389
 port-object eq 4125
 port-object eq 987
 port-object eq ftp
 port-object eq www
 port-object eq https
 port-object eq imap4
 port-object eq pop3
 port-object eq pptp
 port-object eq smtp
 port-object eq ssh
 port-object eq 4210
 port-object eq 15000
 port-object eq 4203
 port-object eq 4205
object-group service Special
 description Zelf aangemaakte services
 service-object tcp eq 18081 
 service-object tcp eq 3389 
 service-object tcp eq 4125 
 service-object tcp eq 987 
 service-object tcp eq 4210 
 service-object tcp eq 4203 
 service-object tcp eq 4205 
 service-object tcp eq 15000 
access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_1 
access-list dmz_access_in extended permit ip host 192.168.3.210 any 
access-list inside_access_in extended permit icmp any any 

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp a2osbs smtp netmask 255.255.255.255 
static (inside,outside) tcp interface www a2osbs www netmask 255.255.255.255 
static (inside,outside) tcp interface imap4 a2osbs imap4 netmask 255.255.255.255 
static (inside,outside) tcp interface 987 a2osbs 987 netmask 255.255.255.255 
static (inside,outside) tcp interface https a2osbs https netmask 255.255.255.255 
static (inside,outside) tcp interface pop3 a2osbs pop3 netmask 255.255.255.255 
static (inside,outside) tcp interface 4205 server-archx 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 4210 FTP-server 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 18081 server-archx 18081 netmask 255.255.255.255 
static (inside,outside) tcp interface 4125 a2osbs 4125 netmask 255.255.255.255 
static (inside,outside) tcp interface 15000 a2osbs 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 4203 Oude_Server 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface pptp a2osbs pptp netmask 255.255.255.255 
static (dmz,outside) tcp interface ftp 192.168.3.210 ftp netmask 255.255.255.255 
static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz

Open in new window

0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
I'm sure we'll get there :)

Let's see, do you have the inspect rules in place? Should be something like:

policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect icmp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp

service-policy global_policy global


And, because you put the ftp server in the DMZ, are the ip settings on the server ok (right ip address, default gateway, etc)?

Otherwise we might want to have a look at the (asdm) logs.
0
 

Author Comment

by:Silencer001
Comment Utility
No none of these commands are active. I honestly even never heard of them.
The IP-settings are also correct and connected to the right interface.

OKKKK, so now you made me feel stupid lol.. I didn't set the default gateway on my laptop. Forgot that it was needed to route between networks...

The FTP-server is also working and I can also access the shares on this computer, nice!

The strange thing is: when I try to access the fTP-server from the outside, the router is directly forwarding me to the 192.168.3.210 address. The NAT is still active for 192.168.2.210.. I can't also find a graphical representation for the cli you gave me?

How do I forward passive ports 50000-50050 from my router to my FTP-server? Because at the moment the passive mode is not working for the FTP when I connect from the outside..

Does the previous commands mean that everything from LAN to DMZ should work normally?

Thanks again, I can feel we will get there today!! Thanks!!
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
The strange thing is: when I try to access the fTP-server from the outside, the router is directly forwarding me to the 192.168.3.210 address. The NAT is still active for 192.168.2.210.
Correct, we're doing PAT (Port Address Translation). So we only forward one port from the public IP to (in this case) the same port on an ip in the dmz/lan. Theoretically you could forward every port to another ip this way.

How do I forward passive ports 50000-50050 from my router to my FTP-server?
Hehe, with a lot of copy/paste. Because we're doing PAT, you'll need a static for every port:

From
static (dmz,outside) tcp interface 50000 192.168.3.x 50000 netmask 255.255.255.255
to
static (dmz,outside) tcp interface 50050 192.168.3.x 50050 netmask 255.255.255.255

Access list is simpler:
object-group service DM_INLINE_TCP_1 tcp
 port-object range 50000 50050


Of course if you use a separate ip on the outside to do a one to one nat, you wouldn't need the 50 statics, just one. For example:
static (dmz,outside) 10.10.10.2 192.168.3.210 netmask 255.255.255.255
0
 

Author Comment

by:Silencer001
Comment Utility
Sorry I was looking in the wrong place for NAT and PAT thing. Port 21 is open on the outside interface and in the GUI I can now also see that port 21 is forwarded to the DMZ-address. I see this in the NAT-section and I was looking in the "Access Rules" section.

So I can choose between the copy/paste for PAT or the access list?
With what command is this access list linked to the outside interface?


What did these commands actually do:? Could you maybe explain this line by line?
no access-group inside_access_in in interface inside
access-list dmz_access_in extended permit host 192.168.3.x any
access-group dmz_access_in in interface dmz


Thanks again mate!
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Ok, here we go:

So I can choose between the copy/paste for PAT or the access list
For the PAT: yes, just don't forget to chenge the port numbers. For the access list: you're using an object group there. With:
object-group service DM_INLINE_TCP_1 tcp
 port-object range 50000 50050

You added the ports to that object group.

no access-group inside_access_in in interface inside
Here we removed the access list from the inside interface (so the command with 'no' in front)

access-list dmz_access_in extended permit ip host 192.168.3.x any
This creates an entry in the access list (a so-called ACE) that permits all sort of traffic (ip) from that machine (host 192.168.3.x) to all destinations (any). Of course that can be restricted (especially to the inside).

access-group dmz_access_in in interface dmz
This links the access list to the interface.

En alweer graag gedaan ;)
0
 

Author Comment

by:Silencer001
Comment Utility
Ahh yeah I see.. The port range was added to this list. Thanks!!

So now everything from the DMZ is permitted to the LAN with this command "access-list dmz_access_in extended permit ip host 192.168.3.x any" ? So at this point, the DMZ isn't really a dmz?

The FTP from the outside is still not working. When connecting from the LAN to the DMZ, it works fine.. I get the following error-message:

You will probably don't mind that it is in dutch ;-)
error.bmp
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
So at this point, the DMZ isn't really a dmz?
No, not completely. that specific host is (at the moment) allowed to access anything on the LAN. So that needs to be locked down a bit more.

For the outside ftp (and no, I don't mind dutch. Spoke it for the last 40 years ;), try to add:

policy-map global_policy
 class inspection_default
  inspect ftp

service-policy global_policy global


This way the ASA can do statefull inspection of the ftp traffic.
0
 

Author Comment

by:Silencer001
Comment Utility
Thanks for the suggestion erniebeek, but the commands aren't working.
I have taken a screenshot.

Thanks again!

error.png
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Forgot a part :-~ not enough coffee today.

class-map inspection_default
 match default-inspection-traffic

policy-map global_policy
 class inspection_default
  inspect ftp

service-policy global_policy global
0
 

Author Comment

by:Silencer001
Comment Utility
Dear god, you're a god!! Wow thanks man!!

Does it have something to do with packet inspection and do you have an idea where I can find this in the GUI of the firewall? I would like to start using both, so the GUI is handy in the beginning. Is the port forwarding then still necessary?
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Nah, I'm only a Genius ;)

But yeah, this way you enanbled the statefull packet inspection for FTP so the ASA knows there can be traffic on other ports as well.

By default it should be:
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global


The port forwarding I'm not sure of. Looking at the previous error it looks like it isn't using the 50000 range. so you can try to remove the port range from the object group:

object-group service DM_INLINE_TCP_1 tcp
no port-object range 50000 50050


And see if it still works. If it does, you can remove the statics as well.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:Silencer001
Comment Utility
Haha yeah a genius indeed! I just added the lines you just pasted here thanks.
I also remove the port-object range and the FTP is still working, hooray!!

Really thanks!!

Now for the real dmz configuration, what command can I use to only permit FTP-access and then also access to shares and rdp. This is actually the only thing that needs to be open I guess.


I have also found "class maps" and "inspect maps" in the GUI but I don't see an enable feature. The only way to do this is maybe be using the cli?

I have increased the points to 450 becuase you are helping me a lot, thanks again!
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
You're welcome :)

Let's see, in the access-list dmz_access_in you only have to allow those ports for the connections that are set up from the FTP server. Connections from the inside LAN are allowed by default (because it's from a high security to a lower security interface).

So what would you like to do from the FTP server on the LAN? Then we have to figure out what ports are needed for that and to what hosts you need to connect.

I'll have a look at the gui for the class maps. Should be there somewhere.
0
 

Author Comment

by:Silencer001
Comment Utility
Ah ok I didn't know that, thanks!

I only need FTP-traffic from the FTP-server to the lan and then also communication between the AVG-server and the clients in my LAN. The FTP-server also has the AVG administration console installed.

And then the previous command (port forwarding to the FTP-server (port 21) and the commands for the statefull packet inspection make sure that the FTP-server is accesible from the outside?

What are your recommendations to open which ports in the DMZ?
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Ok, personally I would move the AVG back to the lan (if possible). You don't want to do management on you lan from your DMZ. But that's my personal opinion.

To allow only ftp from the server to the lan enter:
access-list dmz_access_in extended permit tcp host 192.168.3.210 192.168.2.0 255.255.255.0 eq 21

You can add a similar line or lines for AVG (if you decide to keep it there). You only need to find out what ports AVG use.

And yes, the previous commands (the static, access list and inspect) make the access from the outside possible.

0
 

Author Comment

by:Silencer001
Comment Utility
Thanks for the feedback erniebeek and sorry I didn't got back to you sooner!
I will try this next week with the customer and then do my final testing!

I will leave this topic open untill then. Thanks again!
0
 

Author Comment

by:Silencer001
Comment Utility
Oh and I also moved the AVG Console to a server in the LAN. ;-)
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Ok, no problem. I'll be here :)
And good, you moved the avg. I think that's for the best.
0
 

Author Comment

by:Silencer001
Comment Utility
Hi erniebeek,

I am with the customer and everything works except for the FTP.
My FTP-server gives this as response:

29/09/2011 12:50:20 - [000009] a2otest 87.66.2.85 > 250 CWD command successful. "/" is current directory.
29/09/2011 12:50:20 - [000009] a2otest 87.66.2.85 > TYPE A
29/09/2011 12:50:20 - [000009] a2otest 87.66.2.85 > 200 Type set to A.
29/09/2011 12:50:20 - [000009] a2otest 87.66.2.85 > PASV
29/09/2011 12:50:20 - [000009] a2otest 87.66.2.85 > 227 Entering Passive Mode (81,82,216,11,195,117)
29/09/2011 12:50:20 - [000009] a2otest 87.66.2.85 > INFO: user disconnected gracefully. (00:00:00)


When I tested it, it worked perfectly, but now only outside access doesn't seem to be working..
0
 
LVL 17

Expert Comment

by:Garry-G
Comment Utility
Do you have FTP inspection turned on? For NAT, the firewall has to recognize FTP protocol and "correct" some of the data inside the control connection ...
0
 

Author Comment

by:Silencer001
Comment Utility
I don't know if I have it on, how can you see it on a cisco ASA? FTP Passive mode in configured ;-)
0
 

Author Comment

by:Silencer001
Comment Utility
Sorry FTP inspection is turned on. If I didn't use it, I couldn't get connection to my FTP server. Hence the commands:

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
0
 

Author Comment

by:Silencer001
Comment Utility
I have turned FTP inspection off but when I want to connect form the outside, I get the error-message enclosed in the screenshot.

The logs on the FTP-server are the following:
29/09/2011 13:13:39 - [000042] a2otest 87.66.2.85 > INFO: logged in.
29/09/2011 13:13:39 - [000042] a2otest 87.66.2.85 > 230 User a2otest logged in.
29/09/2011 13:13:39 - [000042] a2otest 87.66.2.85 > OPTS utf8 on
29/09/2011 13:13:39 - [000042] a2otest 87.66.2.85 > 500 Unknown command.
29/09/2011 13:13:39 - [000042] a2otest 87.66.2.85 > SYST 
29/09/2011 13:13:39 - [000042] a2otest 87.66.2.85 > 215 UNIX Type: L8
29/09/2011 13:13:39 - [000042] a2otest 87.66.2.85 > SITE help
29/09/2011 13:13:39 - [000042] a2otest 87.66.2.85 > 500 Unknown command.
29/09/2011 13:13:39 - [000042] a2otest 87.66.2.85 > PWD 
29/09/2011 13:13:39 - [000042] a2otest 87.66.2.85 > 257 "/" is current directory.
29/09/2011 13:13:39 - [000042] a2otest 87.66.2.85 > TYPE A
29/09/2011 13:13:39 - [000042] a2otest 87.66.2.85 > 200 Type set to A.
29/09/2011 13:13:39 - [000042] a2otest 87.66.2.85 > PASV 
29/09/2011 13:13:39 - [000042] a2otest 87.66.2.85 > 227 Entering Passive Mode (81,82,216,11,195,106)

Open in new window

error.png
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
Comment Utility
Have no fear, Ernie is here :)

Could you show the ASA config as it is now? Let's see if we can figure this out.
0
 

Author Comment

by:Silencer001
Comment Utility
Thank you so much mate!
: Saved
:
ASA Version 8.2(5) 
!
hostname ciscoasa
enable password eBoSjUFSEiuUMM7B encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.2.203 Oude_Server description Oude Server
name 192.168.2.205 server-archx
name 192.168.2.200 a2osbs description SBS2011
name 192.168.3.210 DMZ_FTP-server description FTP-server in DMZ
name 192.168.2.210 LAN_FTP-server description FTP-server in LAN
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 5
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Vlan5
 nameif dmz
 security-level 50
 ip address 192.168.3.1 255.255.255.0 
!
ftp mode passive
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 3389
 port-object eq 4125
 port-object eq 987
 port-object eq ftp
 port-object eq www
 port-object eq https
 port-object eq imap4
 port-object eq pop3
 port-object eq pptp
 port-object eq smtp
 port-object eq ssh
 port-object eq 4210
 port-object eq 15000
 port-object eq 4203
 port-object eq 4205
 port-object eq 4230
 port-object eq 28081
 port-object range 50000 50050
object-group service Special
 description Zelf aangemaakte services
 service-object tcp eq 3389 
 service-object tcp eq 4125 
 service-object tcp eq 987 
 service-object tcp eq 4210 
 service-object tcp eq 4203 
 service-object tcp eq 4205 
 service-object tcp eq 15000 
 service-object tcp eq 4230 
 service-object tcp eq 28081 
access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_1 
access-list dmz_access_in extended permit ip host DMZ_FTP-server any inactive 
access-list dmz_access_in extended permit tcp host DMZ_FTP-server 192.168.2.0 255.255.255.0 eq domain inactive 
access-list dmz_access_in extended permit tcp host DMZ_FTP-server 192.168.2.0 255.255.255.0 eq ftp inactive 
access-list inside_access_in extended permit icmp any any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp a2osbs smtp netmask 255.255.255.255 
static (inside,outside) tcp interface www a2osbs www netmask 255.255.255.255 
static (inside,outside) tcp interface imap4 a2osbs imap4 netmask 255.255.255.255 
static (inside,outside) tcp interface 987 a2osbs 987 netmask 255.255.255.255 
static (dmz,outside) tcp interface 4230 DMZ_FTP-server 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface https a2osbs https netmask 255.255.255.255 
static (inside,outside) tcp interface pop3 a2osbs pop3 netmask 255.255.255.255 
static (inside,outside) tcp interface 4205 server-archx 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 4210 LAN_FTP-server 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 28081 server-archx 28081 netmask 255.255.255.255 
static (inside,outside) tcp interface 4125 a2osbs 4125 netmask 255.255.255.255 
static (inside,outside) tcp interface 15000 a2osbs 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 4203 Oude_Server 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface pptp a2osbs pptp netmask 255.255.255.255 
static (dmz,outside) tcp interface ftp DMZ_FTP-server ftp netmask 255.255.255.255 
static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
    308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130 
    0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117 
    30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b 
    13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504 
    0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72 
    20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56 
    65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043 
    65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31 
    30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b 
    30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20 
    496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65 
    74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420 
    68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329 
    3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365 
    63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7 
    0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597 
    a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10 
    9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc 
    7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b 
    15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845 
    63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 
    18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced 
    4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f 
    81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201 
    db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868 
    7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101 
    ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8 
    45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777 
    2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a 
    1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406 
    03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973 
    69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 
    02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969 
    6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b 
    c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973 
    69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30 
    1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603 
    551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 
    1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609 
    2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 
    4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e 
    b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a 
    6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc 
    481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16 
    b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0 
    5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8 
    6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28 
    6c2527b9 deb78458 c61f381e a4c4cb66
  quit
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.2.5-192.168.2.254 inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
service call-home
call-home reporting anonymous
call-home
 contact-email-addr admin@a2o-architecten.be
 profile CiscoTAC-1
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3e01e49c16ae9d7e754280bbd4b1b9a4
: end
asdm location Oude_Server 255.255.255.255 inside
asdm location server-archx 255.255.255.255 inside
asdm location a2osbs 255.255.255.255 inside
asdm location LAN_FTP-server 255.255.255.255 inside
asdm location DMZ_FTP-server 255.255.255.255 inside
no asdm history enable

Open in new window

0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Let's try the following:

static (dmz,outside) tcp interface ftp-data DMZ_FTP-server ftp-data netmask 255.255.255.255

object-group service DM_INLINE_TCP_1 tcp
 port-object eq ftp-data


And see what happens.
0
 

Author Comment

by:Silencer001
Comment Utility
Thanks for the suggestion, but didn't work, still the same error-message from my last post.

LAN to DMZ is working fine though:

This is my running config now:
: Saved
:
ASA Version 8.2(5) 
!
hostname ciscoasa
enable password eBoSjUFSEiuUMM7B encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.2.203 Oude_Server description Oude Server
name 192.168.2.205 server-archx
name 192.168.2.200 a2osbs description SBS2011
name 192.168.3.210 DMZ_FTP-server description FTP-server in DMZ
name 192.168.2.210 LAN_FTP-server description FTP-server in LAN
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 5
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Vlan5
 nameif dmz
 security-level 50
 ip address 192.168.3.1 255.255.255.0 
!
ftp mode passive
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 3389
 port-object eq 4125
 port-object eq 987
 port-object eq ftp
 port-object eq www
 port-object eq https
 port-object eq imap4
 port-object eq pop3
 port-object eq pptp
 port-object eq smtp
 port-object eq ssh
 port-object eq 4210
 port-object eq 15000
 port-object eq 4203
 port-object eq 4205
 port-object eq 4230
 port-object eq 28081
 port-object range 50000 50050
object-group service Special
 description Zelf aangemaakte services
 service-object tcp eq 3389 
 service-object tcp eq 4125 
 service-object tcp eq 987 
 service-object tcp eq 4210 
 service-object tcp eq 4203 
 service-object tcp eq 4205 
 service-object tcp eq 15000 
 service-object tcp eq 4230 
 service-object tcp eq 28081 
access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_1 
access-list dmz_access_in extended permit ip host DMZ_FTP-server any inactive 
access-list dmz_access_in extended permit tcp host DMZ_FTP-server 192.168.2.0 255.255.255.0 eq domain inactive 
access-list dmz_access_in extended permit tcp host DMZ_FTP-server 192.168.2.0 255.255.255.0 eq ftp inactive 
access-list inside_access_in extended permit icmp any any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp a2osbs smtp netmask 255.255.255.255 
static (inside,outside) tcp interface www a2osbs www netmask 255.255.255.255 
static (inside,outside) tcp interface imap4 a2osbs imap4 netmask 255.255.255.255 
static (inside,outside) tcp interface 987 a2osbs 987 netmask 255.255.255.255 
static (dmz,outside) tcp interface 4230 DMZ_FTP-server 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface https a2osbs https netmask 255.255.255.255 
static (inside,outside) tcp interface pop3 a2osbs pop3 netmask 255.255.255.255 
static (inside,outside) tcp interface 4205 server-archx 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 4210 LAN_FTP-server 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 28081 server-archx 28081 netmask 255.255.255.255 
static (inside,outside) tcp interface 4125 a2osbs 4125 netmask 255.255.255.255 
static (inside,outside) tcp interface 15000 a2osbs 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 4203 Oude_Server 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface pptp a2osbs pptp netmask 255.255.255.255 
static (dmz,outside) tcp interface ftp DMZ_FTP-server ftp netmask 255.255.255.255 
static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
    308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130 
    0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117 
    30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b 
    13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504 
    0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72 
    20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56 
    65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043 
    65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31 
    30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b 
    30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20 
    496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65 
    74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420 
    68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329 
    3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365 
    63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7 
    0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597 
    a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10 
    9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc 
    7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b 
    15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845 
    63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 
    18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced 
    4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f 
    81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201 
    db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868 
    7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101 
    ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8 
    45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777 
    2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a 
    1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406 
    03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973 
    69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 
    02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969 
    6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b 
    c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973 
    69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30 
    1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603 
    551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 
    1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609 
    2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 
    4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e 
    b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a 
    6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc 
    481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16 
    b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0 
    5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8 
    6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28 
    6c2527b9 deb78458 c61f381e a4c4cb66
  quit
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.2.5-192.168.2.254 inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
service call-home
call-home reporting anonymous
call-home
 contact-email-addr admin@a2o-architecten.be
 profile CiscoTAC-1
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3e01e49c16ae9d7e754280bbd4b1b9a4
: end
asdm location Oude_Server 255.255.255.255 inside
asdm location server-archx 255.255.255.255 inside
asdm location a2osbs 255.255.255.255 inside
asdm location LAN_FTP-server 255.255.255.255 inside
asdm location DMZ_FTP-server 255.255.255.255 inside
no asdm history enable

Open in new window

0
 

Author Comment

by:Silencer001
Comment Utility
This is the full log from the FTP-server:
29/09/2011 14:11:17 - [000053] (not logged in) 87.66.2.85 > INFO: ftp-client connection made from IP:192.168.3.210
29/09/2011 14:11:17 - [000053] (not logged in) 87.66.2.85 > INFO: sending welcome message to client (MOTD).
29/09/2011 14:11:17 - [000053] (not logged in) 87.66.2.85 > 220 BulletProof FTP Server 2011
29/09/2011 14:11:17 - [000053] (not logged in) 87.66.2.85 > USER a2otest
29/09/2011 14:11:17 - [000053] (not logged in) 87.66.2.85 > 331 Password required for a2otest.
29/09/2011 14:11:17 - [000053] (not logged in) 87.66.2.85 > PASS pass
29/09/2011 14:11:17 - [000053] a2otest 87.66.2.85 > INFO: logged in.
29/09/2011 14:11:17 - [000053] a2otest 87.66.2.85 > 230 User a2otest logged in.
29/09/2011 14:11:17 - [000053] a2otest 87.66.2.85 > OPTS utf8 on
29/09/2011 14:11:17 - [000053] a2otest 87.66.2.85 > 500 Unknown command.
29/09/2011 14:11:17 - [000053] a2otest 87.66.2.85 > PWD 
29/09/2011 14:11:17 - [000053] a2otest 87.66.2.85 > 257 "/" is current directory.
29/09/2011 14:11:18 - [000053] a2otest 87.66.2.85 > INFO: user disconnected gracefully. (00:00:00)
29/09/2011 14:11:18 - [000054] (not logged in) 87.66.2.85 > INFO: ftp-client connection made from IP:192.168.3.210
29/09/2011 14:11:18 - [000054] (not logged in) 87.66.2.85 > INFO: sending welcome message to client (MOTD).
29/09/2011 14:11:18 - [000054] (not logged in) 87.66.2.85 > 220 BulletProof FTP Server 2011
29/09/2011 14:11:18 - [000054] (not logged in) 87.66.2.85 > USER a2otest
29/09/2011 14:11:18 - [000054] (not logged in) 87.66.2.85 > 331 Password required for a2otest.
29/09/2011 14:11:18 - [000054] (not logged in) 87.66.2.85 > PASS pass
29/09/2011 14:11:18 - [000054] a2otest 87.66.2.85 > INFO: logged in.
29/09/2011 14:11:18 - [000054] a2otest 87.66.2.85 > 230 User a2otest logged in.
29/09/2011 14:11:18 - [000054] a2otest 87.66.2.85 > OPTS utf8 on
29/09/2011 14:11:18 - [000054] a2otest 87.66.2.85 > 500 Unknown command.
29/09/2011 14:11:18 - [000054] a2otest 87.66.2.85 > PWD 
29/09/2011 14:11:18 - [000054] a2otest 87.66.2.85 > 257 "/" is current directory.
29/09/2011 14:11:18 - [000054] a2otest 87.66.2.85 > TYPE A
29/09/2011 14:11:18 - [000054] a2otest 87.66.2.85 > 200 Type set to A.
29/09/2011 14:11:18 - [000054] a2otest 87.66.2.85 > PASV 
29/09/2011 14:11:18 - [000054] a2otest 87.66.2.85 > 227 Entering Passive Mode (81,82,216,11,195,89)

Open in new window

0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Did you already remove the lines again? I don't see them.

Let's have a look at the asa logs to see if any errors  show when trying to connect.
0
 

Author Comment

by:Silencer001
Comment Utility
Which lines are you refering to Ernie? I copied your commands and executed them on the ASA.
0
 

Author Comment

by:Silencer001
Comment Utility
I am checking the logs but only find this line refering to the FTP-server:


4      Sep 29 2011      05:10:13            DMZ_FTP-server      51408      a2osbs      53      Deny udp src dmz:DMZ_FTP-server/51408 dst inside:a2osbs/53 by access-group "dmz_access_in" [0x0, 0x0]
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
That looks like DNS traffic so not really relevant here.

Those lines I send (with the ftp-data stuff) I don't see in your most recent config (?)
0
 

Author Comment

by:Silencer001
Comment Utility
Hmmm strange, this is the running config now:
: Saved
:
ASA Version 8.2(5) 
!
hostname ciscoasa
enable password eBoSjUFSEiuUMM7B encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.2.203 Oude_Server description Oude Server
name 192.168.2.205 server-archx
name 192.168.2.200 a2osbs description SBS2011
name 192.168.3.210 DMZ_FTP-server description FTP-server in DMZ
name 192.168.2.210 LAN_FTP-server description FTP-server in LAN
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 5
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Vlan5
 nameif dmz
 security-level 50
 ip address 192.168.3.1 255.255.255.0 
!
ftp mode passive
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 3389
 port-object eq 4125
 port-object eq 987
 port-object eq ftp
 port-object eq www
 port-object eq https
 port-object eq imap4
 port-object eq pop3
 port-object eq pptp
 port-object eq smtp
 port-object eq ssh
 port-object eq 4210
 port-object eq 15000
 port-object eq 4203
 port-object eq 4205
 port-object eq 4230
 port-object eq 28081
 port-object range 50000 50050
 port-object eq ftp-data
object-group service Special
 description Zelf aangemaakte services
 service-object tcp eq 3389 
 service-object tcp eq 4125 
 service-object tcp eq 987 
 service-object tcp eq 4210 
 service-object tcp eq 4203 
 service-object tcp eq 4205 
 service-object tcp eq 15000 
 service-object tcp eq 4230 
 service-object tcp eq 28081 
access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_1 
access-list dmz_access_in extended permit ip host DMZ_FTP-server any inactive 
access-list dmz_access_in extended permit tcp host DMZ_FTP-server 192.168.2.0 255.255.255.0 eq domain inactive 
access-list dmz_access_in extended permit tcp host DMZ_FTP-server 192.168.2.0 255.255.255.0 eq ftp inactive 
access-list inside_access_in extended permit icmp any any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp a2osbs smtp netmask 255.255.255.255 
static (inside,outside) tcp interface www a2osbs www netmask 255.255.255.255 
static (inside,outside) tcp interface imap4 a2osbs imap4 netmask 255.255.255.255 
static (inside,outside) tcp interface 987 a2osbs 987 netmask 255.255.255.255 
static (dmz,outside) tcp interface 4230 DMZ_FTP-server 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface https a2osbs https netmask 255.255.255.255 
static (inside,outside) tcp interface pop3 a2osbs pop3 netmask 255.255.255.255 
static (inside,outside) tcp interface 4205 server-archx 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 4210 LAN_FTP-server 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 28081 server-archx 28081 netmask 255.255.255.255 
static (inside,outside) tcp interface 4125 a2osbs 4125 netmask 255.255.255.255 
static (inside,outside) tcp interface 15000 a2osbs 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 4203 Oude_Server 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface pptp a2osbs pptp netmask 255.255.255.255 
static (dmz,outside) tcp interface ftp DMZ_FTP-server ftp netmask 255.255.255.255 
static (dmz,outside) tcp interface ftp-data DMZ_FTP-server ftp-data netmask 255.255.255.255 
static (inside,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.255.0 
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
    308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130 
    0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117 
    30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b 
    13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504 
    0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72 
    20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56 
    65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043 
    65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31 
    30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b 
    30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20 
    496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65 
    74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420 
    68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329 
    3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365 
    63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7 
    0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597 
    a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10 
    9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc 
    7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b 
    15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845 
    63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8 
    18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced 
    4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f 
    81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201 
    db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868 
    7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101 
    ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8 
    45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777 
    2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a 
    1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406 
    03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973 
    69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 
    02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969 
    6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b 
    c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973 
    69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30 
    1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603 
    551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355 
    1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609 
    2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80 
    4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e 
    b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a 
    6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc 
    481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16 
    b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0 
    5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8 
    6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28 
    6c2527b9 deb78458 c61f381e a4c4cb66
  quit
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.2.5-192.168.2.254 inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
service call-home
call-home reporting anonymous
call-home
 contact-email-addr admin@a2o-architecten.be
 profile CiscoTAC-1
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a0f369f871664edd8c1302eb3c245062
: end
asdm location Oude_Server 255.255.255.255 inside
asdm location server-archx 255.255.255.255 inside
asdm location a2osbs 255.255.255.255 inside
asdm location LAN_FTP-server 255.255.255.255 inside
asdm location DMZ_FTP-server 255.255.255.255 inside
no asdm history enable

Open in new window

0
 

Author Comment

by:Silencer001
Comment Utility
Successsss!!! :D I manually forworded the ports on my firewall to the DMZ_FTP-server

It now looks like this so is there a way to just forward an entire range in stead of each port seperatly?

Thanks!!
succes.png
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Yesssssssssssssssssssssssssssss! :)

You should be able to do that if you have an extra public ip.
Then you can create a one to one static: static (dmz,outside) outside_ip DMZ_FTP-server netmask 255.255.255.255
And use a range in the access list to open the ports.

Oh, which you allready have: port-object range 50000 50050

The thing is that the server will need it's 'own' public address for that.
0
 

Author Comment

by:Silencer001
Comment Utility
Ah ok so I could use port-object range 50000 50050 If my ftp-server would have a public IP-adress?
Now the ports have to be forwarded seperatly?

If find it surprising that the ASA can't forward an entire range.. The previous linksys could do this without any problems..
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Now the ports have to be forwarded seperatly?
Yes, because you are doing PAT on the ip address of the outside interface (I wouldn't do a 1 to 1 NAT with that ;)

Well, from version 8.3 and greater you should be able to do that:
https://supportforums.cisco.com/thread/2087881

Keep in mind though that things change from that version on, especially the NAT part:
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html
0
 

Author Comment

by:Silencer001
Comment Utility
Wow thanks for the extended information about  this and for your tremendious help!!! Really appreciate your help and points more than earned!!
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Het genoegen was geheel mijnerzijds :)

Or, so everybody understands:

The pleasure was all mine and it was also a pleasure working with you.
Thx for the points and until we meet again ;)
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now