ASA5510 configuration

Had a look at it, First I would consider fixing the following IPs (I will rely on the diagram from the correct IPs):

[code:1]static (dmz,outside) 39.0.2.13 10.10.20.13 netmask 255.255.255.255[/code:1]

Change it to:

[code:1]static (dmz,outside) 39.0.2.13 10.10.20.11 netmask 255.255.255.255[/code:1]

And

[code:1]static (dmz,outside) 39.0.2.14 10.10.20.14 netmask 255.255.255.255[/code:1]

Change it to:

[code:1]static (dmz,outside) 39.0.2.14 10.10.20.12 netmask 255.255.255.255[/code:1]

By now with your config, outside hosts should be able to access the FTP server. So requirement 1 should be complete, tell us if not.

For requirement 2, you need NAT between the inside and dmz. Remember that any packet passing from any to any interface always needs a translation (EVEN if that translation does nothing). I'll use your existing nat statement and simply add a new global for dmz

[code:1]global (dmz) 1 interface [/code:1]

Now we need to exclude the the wireless clients from the FTP server:

[code:1]access-list inside_access_dmz extended deny tcp 10.10.10.128 255.255.255.128 host 10.10.20.11 eq ftp
access-list inside_access_dmz extended permit ip any any
access-group inside_access_dmz in interface inside[/code:1]

There can be other ways to do this, this is just what I know. Tell us if this works or not so we can proceed to the next steps.

First thing i noticed.
On your outside interface you have an IP address of 192.168.168.2 but you want to NAT traffic from your inside/dmz to your outside. So the IP address you want to translate to should be in the same subnet as your outside interface (yes i know there are exceptions). So you would want to change either your outside interface IP address or the address you will translate to.

I'm not really a fan of using NAT between your inside and DMZ but thats a personal preference.
But to make things a little easier i would make a NAT 0 rule that permits trafic from your inside to your DMZ. (NAT 0 means that you don't use NAT but instead just route the traffic).

[code:1]access-list no_nat permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.240
nat (inside) 0 access-list no_nat
[/code:1]

For your DMZ to be able to go to the outside you need to make another NAT rule but then for your DMZ.

1st remove one of the globals you have on the outside and change it to a different sequence number.

[code:1]no global (outside) 1 39.0.2.3-39.0.2.12
global (outside) 10 39.0.2.3-39.0.2.12
[/code:1]

Now make the NAT for your DMZ interface. (I suggest using access-lists to define the networks that are allowed to use NAT. But again this is a personal preference)

[code:1]access-list DMZ_NAT permit ip 10.10.20.0 255.255.255.240 any
nat (dmz) 10 access-list DMZ_NAT
[/code:1]

See the sequence number i used here ? This way this NAT rule only matches to the global with sequence number 10.

And for as far as i can tell your static NAT translations from outside to your dmz are configured correctly asside from using different IP addresses then in the network drawing. So they should work if you change your outside IP address to a 39.0.2.X address and configure the correct addresses for the servers.


*edit* Failed to see the gateway router in the drawing >.>....
Is that router using NAT aswell ? If so thing become entirely different.

I'm not really a fan of using NAT between your inside and DMZ but thats a personal preference.
But to make things a little easier i would make a NAT 0 rule that permits trafic from your inside to your DMZ. (NAT 0 means that you don't use NAT but instead just route the traffic).

[code:1]access-list no_nat permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.240
nat (inside) 0 access-list no_nat
[/code:1]

I agree, I'm not a fan of NATing to DMZ either. Thanks for mentioning r0nni3 I was digging my dusty memory but couldn't recall how to use NAT 0.

However alf6901, which ever way you do it you still need an ACL to prevent the wireless clients from accessing the FTP server. (you can try to exempt them with NAT 0's access list but this will fail in allowing them to access the web server (requirement 3)).

One note here, I assumed that the Gateway router is not doing NAT. If I'm right, then you would (at least) need a static route on the gateway router to route 39.0.2.x traffic back to the network. (Sure you need a default route too to route to the internet/ISP).