Announcement

Collapse
No announcement yet.

ASA config problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA config problem

    I had a PIX 501 configured to allow FTP access to one of our servers on the internal network using the following configuration:

    access-list outside_access_in permit tcp any host 71.xx.yyy.251 eq ftp
    static (inside,outside) 71.xx.yyy.251 172.26.5.9 netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside

    Everything worked fine.
    I recently got a new ASA 5505 to replace the PIX 501. I tried to configure it to allow for the same FTP access as the PIX 501 with the exact same configuration, but it's not working. In addition the internal server (172.26.5.9) using the ASA gateway cannot access the internet, and I cannot ping its outside interface (71.xx.yyy.251) from the outside. All the other computers and servers in the network using the ASA gateway all can access the internet without any issues. I even went so far and setup another FTP server on the ASA and that works fine. The only difference between the new working additional FTP server I set up and the non-working one that was existing from before is that the one that was existing from before is registered on our domain (pubftp.mycompany.com with IP 71.xx.yyy.251).

    Below is the configuration I had on the PIX 501 which allowed for FTP access on the server (71.xx.yyy.251 172.26.5.9). Following that is the config on the ASA:

    Building configuration...
    : Saved
    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password tdkuTUSh53d2MT6B encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname attdslpix2
    domain-name mycompany.com
    clock timezone EST -5
    clock summer-time EDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list inside_outbound_nat0_acl permit ip any 172.26.5.192 255.255.255.240
    access-list outside_access_in permit udp any any eq 4500
    access-list outside_access_in permit udp any any eq isakmp
    access-list outside_access_in permit icmp any any
    access-list outside_access_in permit tcp any host 71.xx.yyy.251 eq ftp
    access-list splittunnel permit ip 172.26.0.0 255.255.0.0 172.26.0.0 255.255.0.0
    access-list TLC_splitTunnelAcl permit ip 172.26.0.0 255.255.0.0 any
    pager lines 24
    logging on
    logging standby
    mtu outside 1500
    mtu inside 1500
    ip address outside 71.xx.yyy.253 255.255.255.240
    ip address inside 172.26.0.252 255.255.0.0
    ip verify reverse-path interface outside
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool pptp-client-ip 172.26.5.195-172.26.5.199
    pdm location 71.xx.yyy.251 255.255.255.255 outside
    pdm location 172.26.5.9 255.255.255.255 inside
    pdm location 172.26.5.192 255.255.255.240 outside
    pdm location 172.26.0.136 255.255.255.255 inside
    pdm logging alerts 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) 71.xx.yyy.251 172.26.5.9 netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 71.xx.yyy.241 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 172.26.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable

    [OK]
    ----------------------------
    Below is the configuration I have on the ASA 5505 which is not working for FTP on the server 71.xx.yyy.251 172.26.5.9 but working on 71.xx.yyy.244 172.26.0.136:

    : Saved
    :
    ASA Version 8.2(1)
    !
    hostname ciscoasa
    domain-name mycompany.com
    enable password tdkuTUSh53d2MT6B encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 172.26.0.252 255.255.0.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 71.xx.yyy.253 255.255.255.240
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns server-group DefaultDNS
    domain-name mycompany.com
    access-list LIMU_Split_Tunnel_List remark The corporate network behind the ASA
    access-list LIMU_Split_Tunnel_List standard permit 172.26.0.0 255.255.0.0
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in extended permit udp any any eq 4500
    access-list outside_access_in extended permit udp any any eq isakmp
    access-list outside_access_in extended permit tcp any host 71.xx.yyy.251 eq ftp
    access-list outside_access_in extended permit tcp any host 71.xx.yyy.244 eq ftp
    access-list inside_outbound_nat0_acl extended permit ip any 172.26.5.192 255.255.255.240
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    ip local pool VPN_POOL 172.26.6.1-172.26.6.100 mask 255.255.0.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) 71.xx.yyy.251 172.26.5.9 netmask 255.255.255.255
    static (inside,outside) 71.xx.yyy.244 172.26.0.136 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 71.xx.yyy.241 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    http server enable
    http 172.26.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:6854e698af80305413f87918e8897874
    : end

    ---------------------
    Any help with this is greatly appreciated.

  • #2
    Re: ASA config problem

    weird... after 2 hours of this not working, it just started to work. I am assuming it has something to do with propagation of the changes to routing tables on the internet.

    Comment

    Working...
    X