topic Re: Access FTP Sever in inside interface with Public IP in Network Security

Access FTP Sever in inside interface with Public IP

manuadoor — Mon, 11 Mar 2019 17:40:46 GMT

Hi,

I have a ftp server in my inside zone of ASA, One of my application team needed to access that ftp server in the inside interface with the Public IP. If they were using a url for that I could have used "dns doctoring". I tried with the following NAT

static (inside, inside) <localip> <publicip>

but ASA thinking that it is an attack

Note: Both Client and FTP server are in the same network hence the zone which is inside.

Re: Access FTP Sever in inside interface with Public IP

Jennifer Halim — Tue, 04 May 2010 10:05:29 GMT

It should be as follows:

static (inside, inside) netmask 255.255.255.255

global (inside) 1 interface

same-security-traffic permit intra-interface

Re: Access FTP Sever in inside interface with Public IP

manuadoor — Tue, 04 May 2010 10:14:08 GMT

halijenn,

Nat syntax is ilike

nat (real int, mapped int) mapped ip real ip netmask ??/

in my case I want to replace my public ip with my local ip, what is the logic behind static (inside, inside) netmask 255.255.255.255

Also pls let me know why we require the following??

global (inside) 1 interface

This is just to clear my understanding!!!

Re: Access FTP Sever in inside interface with Public IP

Jennifer Halim — Tue, 04 May 2010 10:21:24 GMT

For normal static (inside,outside) statement, you would configure the following: static (inside,outside) , so the concept is the same for static (inside,inside).

You are trying to reach the public ip, so the first ip address in the static statement should be the public-ip, and the second ip is the local-ip.

The reason why you need "global (inside) 1 interface" is you still need translation for the source address which is your internal host. The static statement above is for destination translation.

Re: Access FTP Sever in inside interface with Public IP

manuadoor — Tue, 04 May 2010 10:28:14 GMT

The first part is clear now ,,

Since the host and the server is in the same zone (inside), why we need source translaion??? You meant for nat-control??

Re: Access FTP Sever in inside interface with Public IP

Jennifer Halim — Tue, 04 May 2010 10:32:02 GMT

Correct, if you already have NAT statement on that interface, then you would need the global (inside) command. Otherwise, if there is no NAT statement at all on that interface, you can disable nat-control, and the connection would work.

Also, if you have ACL assigned to the inside interface, you would need to allow the traffic:

access-list permit tcp host eq 21

Re: Access FTP Sever in inside interface with Public IP

manuadoor — Tue, 04 May 2010 10:33:15 GMT

Thanks a lot.. Let me try now!!!