topic Re: Cant get NAT Loopback working (access FTP on outside IP from inside) in Network Security

Cant get NAT Loopback working (access FTP on outside IP from inside)

Kortermann-IT ApS — Thu, 26 Nov 2020 12:31:07 GMT

Hello

I have some issues to make nat loopback. How do i do that?

Lets say i have local FTP server: 192.168.2.200

I can access that local, and through my NAT from outside: 92.55.67.12.

But if im on my local network 192.168.2.x/24, i cant access FTP on 92.55.67.12, because i need nat loopback.

Running ASA software on firepower 1010.

How to solve?

Re: Cant get NAT Loopback working (access FTP on outside IP from inside)

Kortermann-IT ApS — Thu, 26 Nov 2020 12:31:17 GMT

NAT, cisco, firewall, firepower, Cisco Adaptive Security Appliance (ASA)

Re: Cant get NAT Loopback working (access FTP on outside IP from inside)

Marius Gunnerud — Thu, 26 Nov 2020 13:25:13 GMT

You can add the dns keyword to the end of the NAT statement. When DNS replies enter the ASA for lookups to the FTP server the ASA checks the NAT table to see if there are any entries that match the public IP. If it finds a NAT statement and the DNS keyword is added, the public IP will be re-written to the private IP and then the client can access the server using the private IP. Remember that this will require an access list entry allowing access to the private IP if the client and the FTP server are located off of separate interfaces on the ASA.

Re: Cant get NAT Loopback working (access FTP on outside IP from inside)

Kortermann-IT ApS — Thu, 26 Nov 2020 13:58:06 GMT

Thanks.

Can you maybe help with a command?

Re: Cant get NAT Loopback working (access FTP on outside IP from inside)

Marius Gunnerud — Thu, 26 Nov 2020 15:36:22 GMT

object network FTP_SERVER

host 192.168.2.200

nat (inside,outside) static 92.55.67.12 dns

Re: Cant get NAT Loopback working (access FTP on outside IP from inside)

Kortermann-IT ApS — Fri, 27 Nov 2020 07:58:10 GMT

Thanks.

I got this error:

Result of the command: "object network FTP_SERVER"

The command has been sent to the device

Result of the command: "host 192.168.11.219"

The command has been sent to the device

Result of the command: "nat (inside,outside) static 212.98.71.90 dns"

ERROR: Address 212.98.71.90 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

Re: Cant get NAT Loopback working (access FTP on outside IP from inside)

Marius Gunnerud — Fri, 27 Nov 2020 08:36:55 GMT

If you are using the outside interface IP then you need to use the interface keyword instead of the IP address. Be careful when doing this though as you will break all other internet traffic other than the FTP server if using the same IP for internet traffic. If you do not have a spare IP and you have other devices that need access to the internet your best bet would be to use twice nat.

for example (I would recommend replace the any any with object groups for your local lan or host that is to access the FTP server)

object network FTP_SERVER

host 192.168.2.200

nat (inside,inside) source static any any destination static interface FTP_SERVER

Re: Cant get NAT Loopback working (access FTP on outside IP from inside)

Kortermann-IT ApS — Fri, 27 Nov 2020 09:28:01 GMT

How should the any any be?

I have all my clients on 192.168.11.0/24.

FTP server: 192.168.11.219

Public IP: 212.98.71.90

Re: Cant get NAT Loopback working (access FTP on outside IP from inside)

Kortermann-IT ApS — Fri, 27 Nov 2020 09:57:15 GMT

Im using this rule today:

object network VM-RDS-01
nat (inside,outside) static interface service tcp 3389 3389

Which is working from outside, but not from inside..

Re: Cant get NAT Loopback working (access FTP on outside IP from inside)

Marius Gunnerud — Fri, 27 Nov 2020 10:13:17 GMT

You could try the following:

object network FTP_SERVER

host 192.168.11.219

object network LAN

subnet 192.168.11.0 255.255.255.0

object network LAN-NAT

host 1.2.3.4

nat (inside,inside) source static LAN LAN-NAT destination static interface FTP_SERVER

The LAN-NAT object is required since your FTP and hosts are on the same network and you will end up with asynchronous routing if you have LAN LAN (traffic flow would be host --> ASA --> FTP -->host) and since the ASA does not see the return traffic from the FTP all other traffic in that flow will be dropped. You could define a completely different subnet for the source also for example:

object network LAN-NAT

subnet 192.168.12.0 255.255.255.0

and as long as that subnet is routed towards the ASA NAT will take care of the rest.