Thursday, March 26, 2015

Cisco ASA: Configuring FTP Access To FTP Server

I was asked by one of my customers to configure the Cisco ASA firewall to allow FTP traffic to their FTP server internally.  Below is the topology and the config I put in.  This is for the 8.3 code and higher.  I think I had 9.1 on this one.  I highlighted the notes so that you might know the commands purpose.
Now, the config:
*** Create the service for reference ***
object service FTP
 service tcp destination eq ftp 

*** Create the internal IP for the client ***
object network FTP_Inside
 host 10.1.1.8

*** Create the external IP for the client ***
object network FTP_Outside
 host 22.19.7.22

*** Allow the external ACL to allow the traffic ***
access-list acl_inbound extended permit tcp any host 10.1.1.8 eq ftp 

*** Create the static NAT translation for that service only ***
nat (inside,outside) source static FTP_Outside FTP_Outside destination static FTP_Inside FTP_Inside service FTP FTP


Posted by

2 comments:

  1. Brad MooreMarch 26, 2015 at 12:54 AM

    Very nice. Will this config handle both active and passive modes, or does that require any kind of "fixup" to be applied?

    ReplyDelete
    Replies
    1. ShaneMarch 26, 2015 at 1:24 AM

      Good question. The customer had not said anything to me about it. But I'm thinking it's for active only. I think for passive to work, you would probably have to do a "inspect ftp" on the default policy, which I didn't do, I'm sure. But, I think it's on by default in the default policy.

      Delete

Your comment will be reviewed for approval. Thank you for submitting your comments.

Subscribe to: Post Comments (Atom)