Reach an ftp server trough an asa5510

[patrickdegast]

I can reach an ftp-server (with ftp) outside my network through the ASA5510 firewall.
The ftp-servers address is 217.xxx.xxx.1 it should be changed to 213.xxx.xxx.121

I can't seem to get it to work, I just changed the ip address in the config but that is not sufficient.

The present config rules. (visible)
access-list zone60_access_in_1 extended permit tcp 10.226.60.3 213.xxx.xxx.121
access-list zone60_nat_static extended permit 10.226.60.3 213.xxx.xxx.121
static (zone60,outside) 82.xxx.xxxx.90(fw outside ip address) access-list zone60_nat_static

I a missing one thing but do not know what?

So now it works for the 217.xxx.xxx.1 but it should work to the 213.xxx.xxx.121

 

[North323]

are you doing a one to one NAT? the new ftp server, can it take connections from any IP?

 

[patrickdegast]

Yes the ftp server can accept connections from any host I checked from outside my network.

It is a static policy nat rule for just one inside host.

 

[Supergrrover]

your acls appear to be off. if you use the TCP keyword, you should and the acl with a port.

can you post a scrubbed config?

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[patrickdegast]

When I remove the access-list
access-list zone60_access_in_1 in the present config (where I can reach the 217.xxx.xxx.1) I get a block and a log entry telling the access-list block is working and not permitting the action, so the access-list is working.

It is just that changing the ip of the "to reach ftp server" does not work. After trying changing back to the old situation ftp works again.