topic NAT --Help in Network Security

NAT --Help

Anukalp S — Tue, 12 Mar 2019 03:24:34 GMT

Hello..

I am stuck in configuring NAT and dont know whether i am doing it right. I have two ftp servers (10.120.11.10 & 10.120.11.11) and want to nat these two servers with single public ip(X.X.111.157) and want to access ftp from intenet through this public ip. I have below config on ASA verr 8.2(5)

access-list ftp_servr extended permit tcp host 10.120.11.10 any eq ftp

access-list ftp_servr extended permit tcp host 10.120.11.10 any eq ftp-data

access-list ftp_servr extended permit tcp host 10.120.11.11 any eq ftp

access-list ftp_servr extended permit tcp host 10.120.11.11 any eq ftp-data

access-list out extended permit tcp any host X.X.111.157 eq ftp

access-list out extended permit tcp any host X.X.111.157 eq ftp-data

nat (dmz) 2 access-list ftp_servr

global (outside) 2 X.X.111.157

Every thing is working fine internally but when i try to oprn ftp port from intenet to public ip(X.X.111.157) then it doesnt work even i cant ping this public ip even after allowing ports from outside.

Pls hep me here.

NAT --Help

Marius Gunnerud — Fri, 03 Jan 2014 13:13:37 GMT

You can not use a single external IP and then use PAT to send port 21 to two different internal servers. You will need to have a second public address for the second FTP server.

--
Please remember to rate and select a correct answer

NAT --Help

Anukalp S — Fri, 03 Jan 2014 13:48:22 GMT

Thanks.. for helping me out on this.

NAT --Help

Julio Carvajal — Fri, 03 Jan 2014 20:23:15 GMT

Hello,

Also the NAT you are doing is call Policy-Based NAT which is used for connections in this case from DMZ to outside not from Outside to DMZ.

You have to use a Static NAT rule for this.

If you only have one IP address then your option is:

Nat one of the internal servers port 21 to the public IP address of the firewall on port 21

The other server port 21 nat it to the same public IP address port 2121 for example AND enable FTP inspection over that non-standar port (2121). Then you could innitiate a FTP connection to 2121 and it will work as well with just 21.

Traffic will reach both servers.

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

NAT --Help

Anukalp S — Sun, 05 Jan 2014 19:36:27 GMT

Hi Julio..

Could you share config example for which you stated above.I will look for this.

Actually this ftp server will be access by our clients and they will access over internet. Problem is that we can not ask them to connect on port 2121(or any other port except 21), so is there any other way we could find solution of this situation.

NAT --Help

Marius Gunnerud — Sun, 05 Jan 2014 19:56:40 GMT

If you can not connect to a different port externally then you must use a second public IP to connect to the second FTP server. You have no other choice in this case.

The following configuration is what you would need. The first line will use the outside interface IP and the second will use a different public IP.

static (inside,outside) tcp interface 21 10.120.11.10 21 netmask 255.255.255.255

static (inside,outside) tcp 173.17.3.20 21 10.120.11.11 21 netmask 255.255.255.255

--
Please remember to rate and select a correct answer

NAT --Help

Julio Carvajal — Sun, 05 Jan 2014 19:58:29 GMT

Hello Anukalp,

If there is no way for them to connect to other port the answer is no.

Another IP will be needed

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

NAT --Help

Anukalp S — Sun, 05 Jan 2014 20:07:41 GMT

HI Julio..

Still i will try to ask clients to make connections on other port since we dont have another ip but before this i need to have this config setup to work properly. So could you pls help in sharing config example.

NAT --Help

Marius Gunnerud — Sun, 05 Jan 2014 20:24:31 GMT

I have already provided the configurations you need in my previous post with regards to NAT.

You also need to configure an ACL rule that permits the traffic

access-list out-to-in extended permit tcp any eq 21

access-group out-to-in in interface outside

--
Please remember to rate and select a correct answer

NAT --Help

Anukalp S — Sun, 05 Jan 2014 20:36:10 GMT

Hi Marius..

In you config example, you are using two public ip(interface IP & a another ip) but i need config example of natting two servers with single public ip but on different port as Julio mentioned above.

NAT --Help

Julio Carvajal — Sun, 05 Jan 2014 20:40:23 GMT

Hello Marius,Aanukalp

The configuration required when running 8.2 or lower would be

static (inside,outside) tcp outside_ip 2121 private_ip 21

access-list outside_inside permit tcp any host outside_interface_ip eq 2121

access-list MPF_FTP permit tcp any host outside_interface_ip eq 2121

class-map FTP

match access-list MPF_FTP

policy-map global_policy

class FTP

inspect FTP

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

NAT --Help

Marius Gunnerud — Sun, 05 Jan 2014 20:43:00 GMT

Hi Julio, he mentioned that connecting to a port other than 21 is not an option. Or did I missunderstand?

--
Please remember to rate and select a correct answer

Re: NAT --Help

Marius Gunnerud — Sun, 05 Jan 2014 20:46:08 GMT

Yes I used two seperate IPs because you said it was not an option to connect to a different port externally. If you are not able to use an external port other than 21 when connecting to the second FTP server then you MUST have a second IP.

--
Please remember to rate and select a correct answer

NAT --Help

Anukalp S — Sun, 05 Jan 2014 22:00:46 GMT

Thanks Julio..for sharing config.