Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Publish FTP in DMZ - ISA 2004

Status
Not open for further replies.
cygnetrower1

cygnetrower1

IS-IT--Management
Feb 14, 2002
37
GB
Hi

I am having real trouble publishing a FTP server in a DMZ on ISA 2004. Iam trying to use a server publish rule on port 21 using all defaults

I have other servers published via web publishing rules which work ok. I have also tried using a http redirect to ftp, which also works ok but as I want users to use an FTP client this is no good.

Logging shows the Enterprise Default Rule is denying access, so it looks like it does not even read the FTP.

Can anyone hlep ?
 
Sort by date Sort by votes
I figured it out

I neded to create a network rule to allow traffic out from the DMZ interface. So I created a NAT rule (DMZ to External)

I would have thought ISA could handle this dynamically for FTP ie port 21 in from client and port 20 response from server ! But it doesn't seem to work without it.
 
Upvote 0 Downvote
Hi,

I'm testing an ISA server setup at the moment, and I ran into the same problem. Would you mind posting a more detailed description of your solution?
What I thought you meant was creating an extra rule to allow traffic over port 20 from the DMZ to the External network, but that doesn't seem to work so I must've misunderstood :)

Thanks in advance!

Venefyxatu
 
Upvote 0 Downvote
Hi,

I was lazy and created an "all traffic" rule from the DMZ to external. Once I did this the FTP started to work.

My second comment was really about other Firewalls I have worked with where once an access rule is allowed in bound it's not neccessary to create another outbound as the Firewall takes care of this for you. Cisco PIX does this for instance with the fixup command.
 
Upvote 0 Downvote
Hi again,

First of all, thanks for the answer. I already had an "all traffic" rule, so unfortunately that didn't work for me.

I did, however, find the problem. I'd used the standard 3-leg perimeter template to configure my networks, but apparently that's broken.
It uses the NAT relation for Perimeter Configuration (ie for traffic going from the internal network to the perimeter network), and the Route relation for Perimeter Access (ie traffic going from the perimeter network to the internet is router by the ISA server).
Switching these two seems to fix everything ... FTP publishing works like a charm now, even without the allow all rule :)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
195
AllenH12
AllenH12
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
90
kythri
kythri
galvanize
  • Locked
  • Question
FTP Deployment (DMZ)
Replies
1
Views
61
galvanize
galvanize
basball
  • Locked
  • Question
Punching a whole in DMZ
Replies
1
Views
64
joepc
joepc
disturbedone
  • Locked
  • Question
proxy.pac not working correctly in IE11
Replies
0
Views
81
disturbedone
disturbedone

Part and Inventory Search

Sponsor

Back
Top