topic Hi Gelo, in Network Security

Can't Access Translated Public FTP server via Internal Network

geloangelo00 — Tue, 12 Mar 2019 07:06:20 GMT

Hi Cisco Support,

Greetings and Happy New year!

Is it possible from internal users can access the translated public ftp server? The ASA itself translate the internal FTP to public. The client wants to access the FTP server using Public IP even they're on the internal network. Hope your prompt response as soonest.

Thank you and Have a great day!

Regards,

Gelo

Hi Gelo,

Shivapramod M — Tue, 05 Jan 2016 06:54:38 GMT

Hi Gelo,

As per my understanding inside users would like to access the server from the public IP. If your server and users who want to connect are in the same interface then you can configure a hair-pin NAT for this.

Below is the configuration template for OS version 8.3 and above.

nat (inside,inside) source dynamic <Private-Addresses object> interface destination static [PUBLIC-ADDRESS-OBJECT][[PRIVATE-ADDRESS-OBJECT]

Also you need to enable traffic between the same security level.
same-security-traffic permit intra-interface

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Hello,

bhavsha2 — Tue, 05 Jan 2016 07:11:30 GMT

Hello,

yes it is possible. It is similar to Users accessing Internet. Make sure you are translating the Client ip address so that they could reach Internet.

Are the users able to access Internet?

Run packet tracer and check where the connection is failing.

Regards,

Bhavik Shah

Hi Shivap,

geloangelo00 — Tue, 05 Jan 2016 07:21:42 GMT

Hi Shivap,

What do you mean by "<Private-Addresses object>" is this the whole subnet (192.168.1.0/24 for example)? and the "[PUBLIC-ADDRESS-OBJECT]" is this the translated public address of the ftp server(1.1.1.50 for example)? Sorry if i misunderstood something about the natting thing.

Thank you

Hi,

Shivapramod M — Tue, 05 Jan 2016 07:29:00 GMT

Hi,

Yes, here is a sample configuration. change your IP address accordingly.

int Eth0/0
nameif outside
ip address 1.2.3.1 255.255.255.0
security-level 0

int Eth0/1
nameif inside
ip address 192.168.1.1 255.255.255.0
security-level 90

obj net obj-host-192.168.1.250
host 192.168.1.250

obj net obj-host-1.2.3.250
host 1.2.3.250
nat (inside,outside) static obj-host-192.168.1.250

nat (inside,inside) source dynamic any interface destination static obj-host-1.2.3.250 obj-host-192.168.1.250

here 192.168.1.250 is the server real IP and 1.2.3.250 is the public IP of the server

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Hi again,

geloangelo00 — Tue, 05 Jan 2016 08:54:37 GMT

Hi again,

Is it ok for this configuration? I think you gave me is the reverse public to internal translation of the server. To make us understand is from internal to public translation.

obj net obj-host-192.168.1.250
host 192.168.1.250

nat (inside,outside) obj-host-1.2.3.250

obj net obj-host-1.2.3.250
host 1.2.3.250

nat (inside,inside) source dynamic any interface destination static obj-host-192.168.1.250 obj-host-1.2.3.250

Thank you.