Active FTP NAT source translation, ASA5520

[zeropoint46]

I'm having an issue where I have a linux server with 2 network cards. One on the "inside" and one in the "DMZ". The default gateway of this service resides in the inside subnet and is not on the ASA. I need to nat outbound traffic into the dmz interface for an FTP server. I have made the policy as follows:

nat (outside,dmz) source static any interface destination static external-ftp-test 172.16.200.21 no-proxy-arp

this makes it so the source address is translated to the dmz interface on the ASA so that the linux server does not try and route it to it's default route.

This actually works, and I can connect and do one dir listing which requires the data port. every subsequent data request fails. I have the inspect ftp option globally set and the ftp service is not encrypted. In the logs it looks like on subsequent requests the asa translates the outbound destination to 0.0.0.0 instead of the actual client IP address. Like it can't trace the session or something like that. any help with a solution would be greatly appreciated. the answer is not changing the default gateway on the server either. This method worked perfectly with an old juniper firewall as well. thanks.

 

[brianinms]

That is a very poor design and you are bridging your firewall and essential bypassing it from the dmz to the inside with that box. Get another box for ftp on the DMZ or merely nat from the outside to the inside.

 

[zeropoint46]

thanks for the input. Although this doesn't actually have a solution to the problem presented. Anybody have one? thanks.

 

[tpulley]

Your static is backwards>
nat (outside,dmz) source static any interface destination static external-ftp-test 172.16.200.21 no-proxy-arp

Should be

nat (dmz,outside) source static any interface destination static external-ftp-test 172.16.200.21 no-proxy-arp