https://community.cisco.com/t5/network-security/confusing-nat-statements/m-p/4094627#M1070587 Hello, <BR /><BR />It would be probable due to the type of service you are using to identify the port object. When you define the service object for port 21, is that using source? or Dest? <BR /><BR />Mike. Fri, 29 May 2020 19:55:59 GMT Maykol Rojas 2020-05-29T19:55:59Z https://community.cisco.com/t5/network-security/confusing-nat-statements/m-p/4094607#M1070585 <P>I have a dmz server, listening on port 21, I want this server to be accessible from internet.&nbsp;</P><P>&nbsp;</P><P>Here are my options:</P><P>1)</P><P>&nbsp;</P><P>nat (dmz,outside) source static ftp_10.20.30.40 x.x.x.x(publicIP) service FTP_21 FTP_21</P><P>&nbsp;</P><P>^^ Does NOT work.</P><P>&nbsp;</P><P>=============================================================</P><P>2)</P><P>object network ftp_10.20.30.40<BR />host 10.20.30.40<BR />nat (dmz,outside) static x.x.x.x(PublicIP) service tcp ftp ftp</P><P>&nbsp;</P><P>^^^ Works.</P><P>&nbsp;</P><P>What is wrong with 1??? I am clueless. I have exact same NAT statement for another server (option 3) listening on a different port and it works.</P><P>&nbsp;</P><P>3)&nbsp;nat (dmz,outside) source static 10.20.30.41 y.y.y.y(PublicIP) service 2222 2222</P><P>&nbsp;</P> Fri, 29 May 2020 19:14:03 GMT https://community.cisco.com/t5/network-security/confusing-nat-statements/m-p/4094607#M1070585 Brad_Shawh 2020-05-29T19:14:03Z https://community.cisco.com/t5/network-security/confusing-nat-statements/m-p/4094627#M1070587 Hello, <BR /><BR />It would be probable due to the type of service you are using to identify the port object. When you define the service object for port 21, is that using source? or Dest? <BR /><BR />Mike. Fri, 29 May 2020 19:55:59 GMT https://community.cisco.com/t5/network-security/confusing-nat-statements/m-p/4094627#M1070587 Maykol Rojas 2020-05-29T19:55:59Z https://community.cisco.com/t5/network-security/confusing-nat-statements/m-p/4094841#M1070595 <P class="lia-align-justify">Thank you.</P><P class="lia-align-justify">&nbsp;</P><P class="lia-align-justify">I was using destination ports, but should it not be destination port 21 and not source? How does this work?</P> Sat, 30 May 2020 10:48:01 GMT https://community.cisco.com/t5/network-security/confusing-nat-statements/m-p/4094841#M1070595 Brad_Shawh 2020-05-30T10:48:01Z https://community.cisco.com/t5/network-security/confusing-nat-statements/m-p/4094946#M1070605 Hello; <BR /><BR />It can be confusing because your clients are actually using port 21 as destination, but if you see it closely, the Server will be always using port 21 as source for the replies. <BR /><BR />From a client initiating the conn (Initiating SYN): <BR />Client--RandomSourcePort--Firewall--Server---Port 21. <BR /><BR />When the server replies, it would look like this (Reply SYN-ACK): <BR />Port21--Server ---Firewall---RandomSourcePort--Client . <BR /><BR />For the firewall logic, it would statically map whatever that comes source on port 21 to the NAT address. That would allow anyone to send packets to that global IP and the firewall knows that if the source port is 21 (it will always be when the server replies) it will NAT it. <BR /><BR />Hope it helps. Sat, 30 May 2020 20:32:00 GMT https://community.cisco.com/t5/network-security/confusing-nat-statements/m-p/4094946#M1070605 Maykol Rojas 2020-05-30T20:32:00Z https://community.cisco.com/t5/network-security/confusing-nat-statements/m-p/4099266#M1070857 <P>Thank you for the explanation <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 08 Jun 2020 10:34:11 GMT https://community.cisco.com/t5/network-security/confusing-nat-statements/m-p/4099266#M1070857 Brad_Shawh 2020-06-08T10:34:11Z