topic Hi,>> create a service object in Network Security

PAT configuration issue

emmaknight — Tue, 12 Mar 2019 06:10:29 GMT

Hi all,

First a little background on what I'm trying to do. I have a webserver in my DMZ running two FTP sites, one on port 21 and one on port 24. The ftp server running on port 21 is working fine, however I am having issues configuring my ASA5505 for PAT on port 24. Basically I want end users to access both sites on port 21, and the firewall to translate based on the incoming IP address.

I have multiple public IP addresses on my external interface, and I have configured my web server to have multiple IP addresses as well.

Static NAT rules are below:

static (dmz,Internet) tcp interface ftp 172.16.1.6 ftp netmask 255.255.255.255
static (dmz,Internet) tcp TPG_IP_4 24 172.16.1.7 ftp netmask 255.255.255.255

However when I attempt to access the ftp server running on port 24 it doesn't connect, with the following error logged (masked IP address with x):

Jun 24 2015

12:45:02

124.168.x.x

51903

TPG_IP_4

Duplicate TCP SYN from Internet:124.168.x.x/51903 to Internet:TPG_IP_4/21 with different initial sequence number

Can anyone tell me what I'm missing? Or is this configuration not possible? I have many other NAT translations working with different public IP addresses on the external interface, however this is the first one I have tried to configure PAT for. This is my first post so please let me know if I need to provide more information.

Thanks.

Hi,>> create a service object

Rishabh Seth — Wed, 24 Jun 2015 07:22:39 GMT

Hi,

>> create a service object for ftp on port 24 (eg service name: ftp-24)

>> edit nat to map real service on port 24 to mapped port 21.

static (dmz,Internet) tcp TPG_IP_4 24 ftp-24 172.16.1.7 ftp netmask 255.255.255.255

>> As ftp is working on a different port, so we need to make ASA perform ftp inspection for traffic on port 24 as well.

++ create a class map to match traffic on port 24.

ciscoasa(config)# class-map ftp-24-class

ciscoasa(config-cmap)# match port tcp eq 24

++ Use this new class map in policy map and apply inpection for ftp.

          ciscoasa(config)# policy-map global_policy
          ciscoasa(config-pmap)# class ftp-24-class
          ciscoasa(config-pmap-c)# inspect ftp

Hope it helps!!!

Thanks for the quick reply. I

emmaknight — Wed, 24 Jun 2015 11:01:09 GMT

Thanks for the quick reply. I'm running ASA 8.2 which doesn't seem to have the option to add a service object, only a service object group which I then can't add to my NAT rule. Is there another way to do this?

I've setup the ftp inspection as described but still experiencing the same issue.

Try it without the service

Rishabh Seth — Wed, 24 Jun 2015 18:56:48 GMT

Try it without the service object. I think it is just the missing inspection which is breaking FTP access.

-------------------------------------------------------------------------------------------------------------------