Inside host cannot FTP to outside FTP site

[beckman68]

To start I am new to the ASA world. There that's done. Here is the scenerio;
I have a ASA 5510 ver 8.4 in a offsite location. I am using the ASDM GUI(which I am used to CLI, so that's new for me), I have an outside interface to the I-net, DMZ, Inside interface, and a Main interface. The inside interface is the most secure, no internet access just RDP through VPN access. I need to open the Inside interface for FTP to an outside FTP site to their IP address only. From the other VLAN's I can reach that FTP site fine. I know that the inside VLAN is the most protected, so how can I allow FTP for that server on the inside VLAN and not lose RDP through the VPN. I've tried setting up the Network Object and ACL for FTP but that stops the RDP for the VPN users and it didn't work anyway. Any help would be greatly appreciated. Again the ASA is new to me so I am having to learn on the fly for now.

Thank you.

 

[unclerico]

Can you post the scrubbed output from sh run so we can see where your configuration is at

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[beckman68]

OK here is the slim version of the config. I don't have the FTP configs I tried in here because when I did add what I thought was right, it locked out RDP sessions through the VPN.

Result of the command: "sho runn"

: Saved
:
ASA Version 8.4(1)
!
hostname abcd-efg-ASA
domain-name stratcolo.local
enable password wertyudsfghfgh encrypted
passwd kjhgf84eje4mnbvmnb encrypted
names
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address xyz.xyz.xyz.xyz 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 172.16.11.1 255.255.255.0
!
interface Ethernet0/3
description Main Internal Network
nameif Main
security-level 75
ip address 192.168.1.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0
management-only
!
banner exec "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device."
banner login "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device."
banner motd "UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have explicit permission to access or configure this device. All activities performed on this device may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. There is no right to privacy on this device."
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup DMZ
dns domain-lookup Main
dns domain-lookup management
dns server-group DefaultDNS
name-server 192.168.1.10
domain-name abcd.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network dmz-webserver
host 172.16.11.5
object network dmz-web
object network dmz-webserver2
host 172.16.11.5
description DMZ static to main
object network DMZ_WEBSERVER
object network DMZ_WEBSERVER_172.16.11.5
host 172.16.11.5
object network DC_MAIN_192.168.1.10
host 192.168.1.10
object network MAIN_HOSTS_192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network MAIN_192.168.1.0
subnet 192.168.1.0 255.255.255.0
description Internat PAT for MAIN network
object network DMZ_172.16.11.0
subnet 172.16.11.0 255.255.255.0
description PAT for DMZ
object network WAN2_zzz.zzz.zzz.zzz
host zzz.zzz.zzz.zzz
description wan_2
object service LDAP-GC
service tcp source range 49152 65535 destination eq 3268
description LDAP Global Catalog
object service LDAPGCSSL
service tcp source range 49152 65535 destination eq 3269
description LDAP GC over SSL
object service Netbios
service udp source range 49152 65535 destination eq netbios-dgm
description Windows Netbios Service
object service RPC
service tcp source range 49152 65535 destination range 49152 65535
description Windows RPC
object service RPC-EPMAP
service udp source range 49152 65535 destination eq 135
description RPC-EPMAP
object service RPC-EPMAP2
service tcp source range 49152 65535 destination eq 135
description Windows RPC-EPMAP service
object service W32Time
service udp source range 49152 65535 destination eq ntp
description Windows Time Service
object network NETWORK_OBJ_192.168.12.0_25
subnet 192.168.12.0 255.255.255.128
object network vpnpool
subnet 192.168.12.0 255.255.255.0
object network Management_192.168.200.0
subnet 192.168.2.0 255.255.255.0
description management network
object network DMZ_Internet_Access
subnet 172.16.11.0 255.255.255.0
description DMZ to Internet Translation
object network MAIN
subnet 192.168.1.0 255.255.255.0
object network SFTP_External_xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object network SFTP_Server
host 172.16.11.5
description SFTP Server
object network SFI_Internal
subnet 10.0.0.0 255.255.0.0
description SFI Internal Network
object network DMZ_172.16.11.x
subnet 172.16.11.0 255.255.255.0
object network SFI_internal_10.0.x.x
subnet 10.0.0.0 255.255.0.0
object service Tripwire_8080
service tcp source eq 8080 destination eq 8080
object service tripwire_9898
service tcp source eq 9898 destination eq 9898
object network Clients_Webserver
host 172.16.11.10
description Client Web Access
object network HTTPS_xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
object network WIKID_Access
host 172.16.11.7
description WIKID Strong Athenication Server
object service FTP
service tcp source range 1 65535 destination eq ftp
description FTP Protocol
object service FTP-Data
service tcp source range 1 65535 destination eq ftp-data
description FTP/Data
object network COLO_SQL
host 192.168.0.10
object-group service ActiveDirectory
description Ports required for DNS, LDAP, etc.
service-object tcp-udp destination eq 88
service-object tcp-udp destination eq cifs
service-object tcp-udp destination eq domain
service-object tcp-udp destination eq www
service-object tcp destination eq www
service-object tcp destination eq https
service-object tcp destination eq kerberos
service-object tcp destination eq ldap
service-object tcp destination eq ldaps
service-object udp destination eq cifs
service-object udp destination eq www
service-object udp destination eq kerberos
service-object object LDAP-GC
service-object object LDAPGCSSL
service-object object Netbios
service-object object RPC
service-object object RPC-EPMAP2
service-object object W32Time
service-object tcp-udp source range 49152 65535 destination eq 445
service-object icmp
service-object tcp-udp destination eq 464
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object icmp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq tacacs
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp
service-object udp
service-object tcp
service-object tcp destination eq https
access-list DMZ_access_in extended permit object-group TCPUDP object DMZ_WEBSERVER_172.16.11.5 object DC_MAIN_192.168.1.10 eq domain
access-list DMZ_access_in extended permit object-group TCPUDP object Clients_Webserver object DC_MAIN_192.168.101.10 eq domain
access-list DMZ_access_in extended permit object-group TCPUDP object WIKID_Access object DC_MAIN_192.168.1.10 eq domain
access-list DMZ_access_in extended deny object-group DM_INLINE_PROTOCOL_4 172.16.11.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list Main_access_in extended permit object-group TCPUDP object DC_MAIN_192.168.1.10 object DMZ_WEBSERVER_172.16.11.5 eq domain
access-list Main_access_in extended permit tcp object DC_MAIN_192.168.1.10 object Clients_Webserver eq https
access-list Main_access_in extended permit tcp object DC_MAIN_192.168.1.10 192.168.1.0 255.255.255.0 eq domain
access-list Main_access_in remark Mail from MAIN
access-list Main_access_in extended permit tcp 192.168.1.0 255.255.255.0 object dmz-webserver eq smtp
access-list Main_access_in extended deny object-group DM_INLINE_PROTOCOL_2 192.168.1.0 255.255.255.0 172.16.11.0 255.255.255.0
access-list Main_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_5 object NETWORK_OBJ_192.168.2.0_25 any
access-list outside_access_in extended permit tcp any object SFTP_Server eq ssh
access-list outside_access_in extended permit tcp any object Clients_Webserver eq https
access-list outside_access_in extended permit tcp any object WIKID_Access object-group DM_INLINE_TCP_1
access-list split-tunnel standard permit 172.16.15.0 255.255.255.0
access-list split-tunnel standard permit 192.168.0.0 255.255.255.0
access-list split-tunnel standard permit 192.168.1.0 255.255.255.0
access-list split-tunnel standard permit 192.168.2.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object DMZ_172.16.11.x object SFI_internal_10.0.x.x
pager lines 24
logging enable
logging trap notifications
logging asdm informational
logging host Main 192.168.1.13
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu Main 1500
mtu management 1500
ip local pool VPN-Pool 192.168.12.2-192.168.12.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat (Main,outside) source static any any destination static NETWORK_OBJ_192.168.12.0_25 NETWORK_OBJ_192.168.12.0_25
nat (DMZ,Main) source static dmz-webserver dmz-webserver service tripwire_9898 tripwire_9898
nat (DMZ,outside) source static DMZ_WEBSERVER_172.16.11.5 DMZ_WEBSERVER_172.16.11.5 destination static vpnpool vpnpool
nat (outside,DMZ) source static vpnpool vpnpool destination static DMZ_WEBSERVER_172.16.11.5 DMZ_WEBSERVER_172.16.11.5
nat (Main,inside) source static MAIN MAIN
nat (DMZ,outside) source static dmz-webserver dmz-webserver destination static SFI_Internal SFI_Internal
nat (DMZ,outside) source static DMZ_172.16.11.x DMZ_172.16.11.x destination static SFI_internal_10.0.x.x SFI_internal_10.0.x.x
!
object network MAIN_192.168.101.0
nat (Main,outside) dynamic interface
object network DMZ_Internet_Access
nat (any,outside) dynamic interface
object network SFTP_Server
nat (DMZ,outside) static xxx.xxx.xxx.xxx service tcp ssh ssh
object network Clients_Webserver
nat (DMZ,outside) static xxx.xxx.xxx.xxx service tcp https https
object network WIKID_Access
nat (DMZ,outside) static xxx.xxx.xxx.xxx
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
access-group Main_access_in in interface Main
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.2.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
telnet timeout 5
ssh scopy enable
ssh 192.168.1.0 255.255.255.0 Main
ssh 192.168.2.0 255.255.255.0 management
ssh timeout 30
ssh version 2
console timeout 0
management-access management
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point abcd-efg-VPN outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2019-k9.pkg 1
anyconnect profiles abcd_client_profile disk0:/abcd_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
wins-server value 192.168.1.10
dns-server value 192.168.1.10
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
split-dns value abcd.local
group-policy GroupPolicy_abcd internal
group-policy GroupPolicy_abcd attributes
wins-server value 192.168.1.10
dns-server value 192.168.1.10
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value abcd.local
webvpn
anyconnect profiles value abcd_client_profile type user
group-policy abcd internal
group-policy abcd attributes
vpn-tunnel-protocol ssl-client ssl-clientless
webvpn

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c4edb06bee6421017dfdc424faa2973c
: end

 

[beckman68]

I added the ACL for interface "inside" to interface "outside" for FTP on Outbound, Do I need to setup the same for inbound for this to work? I only want the server to access the outside FTP site as far as the internet is concerned. I used ASDM Packet Tracer and it shows it passes the traffic fine from the server to the IP address of the FTP server. Any suggestions.