https://community.cisco.com/t5/network-security/static-nat-to-ftp-server-asa5505/m-p/1376382#M784601 <P>Hi All,</P><P></P><P>Have an ASA 5505 with 2 public IP's, multiple site to site VPNs. </P><P></P><P>First issue: Trying to set up a static nat from public to private for an FTP server. I thought i had the statements correct, but attemting to connect via ftp to the internal ftp server just times out.&nbsp; A Packet trace shows it fails on the global NAT statement for the outside_in ACL I think, but am unsure how to fix that and do not want to mess up the Nat for the tunnels.</P><P></P><P>Second issue: Will setting up the Cisco clientless SSL vpn on the box interfere with any of the site to site tunnels? I dont think it would but want to make sure.</P><P></P><P>Config attached, all replies appreciated.</P> Mon, 11 Mar 2019 16:47:55 GMT jamesbruce 2019-03-11T16:47:55Z https://community.cisco.com/t5/network-security/static-nat-to-ftp-server-asa5505/m-p/1376382#M784601 <P>Hi All,</P><P></P><P>Have an ASA 5505 with 2 public IP's, multiple site to site VPNs. </P><P></P><P>First issue: Trying to set up a static nat from public to private for an FTP server. I thought i had the statements correct, but attemting to connect via ftp to the internal ftp server just times out.&nbsp; A Packet trace shows it fails on the global NAT statement for the outside_in ACL I think, but am unsure how to fix that and do not want to mess up the Nat for the tunnels.</P><P></P><P>Second issue: Will setting up the Cisco clientless SSL vpn on the box interfere with any of the site to site tunnels? I dont think it would but want to make sure.</P><P></P><P>Config attached, all replies appreciated.</P> Mon, 11 Mar 2019 16:47:55 GMT https://community.cisco.com/t5/network-security/static-nat-to-ftp-server-asa5505/m-p/1376382#M784601 jamesbruce 2019-03-11T16:47:55Z https://community.cisco.com/t5/network-security/static-nat-to-ftp-server-asa5505/m-p/1376383#M784602 <HTML><HEAD></HEAD><BODY><P>You need...</P><P></P><P>access-list outside_access_in extended permit tcp any host 69.28.112.254 eq ftp</P></BODY></HTML> Fri, 11 Dec 2009 15:24:06 GMT https://community.cisco.com/t5/network-security/static-nat-to-ftp-server-asa5505/m-p/1376383#M784602 acomiskey 2009-12-11T15:24:06Z https://community.cisco.com/t5/network-security/static-nat-to-ftp-server-asa5505/m-p/1376384#M784603 <HTML><HEAD></HEAD><BODY><P><SPAN style="background-color: #f8fafd;">Thanks, I tried that command and it still does't work.</SPAN></P><P><SPAN style="background-color: #f8fafd;">I can ping the internal host from the ASA CLI, so the internal host is live.</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">Even tried adding a static net command after the comand you suggested with no results.</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">Removed both commands for now.</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">I still think the gloabl NAT statements are interfering with this , just not sure how.&nbsp; </SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">I turned on logging after the command you suggested and do not even see in the log my external ip even trying to connect via ftp, no errors, nothing.</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">Strange...</SPAN></P></BODY></HTML> Sat, 12 Dec 2009 15:08:27 GMT https://community.cisco.com/t5/network-security/static-nat-to-ftp-server-asa5505/m-p/1376384#M784603 jamesbruce 2009-12-12T15:08:27Z https://community.cisco.com/t5/network-security/static-nat-to-ftp-server-asa5505/m-p/1376385#M784604 <HTML><HEAD></HEAD><BODY><P></P><DIV><P>I my experience, using the same IP (ie. interface ip) for Static NAT and NAT overload or PAT causes xlate issues like you're seeing. If you have another public IP for use with the static NAT trying using that and see if the issue is resolved. </P><P></P><P>Hopefully this line is just for debug purposes and not a permanent ACL:</P><P></P><P></P><P>access-list outside_access_in extended permit ip any any log debugging</P><DIV> </DIV><DIV> </DIV><DIV>All incoming traffic to the outside interface will be subject to the outside_access_in ACL, including VPN traffic. With VPN traffic though you can enable 'sysopt connection permit-vpn' to ignore all ACLs. Your packet-tracer results sound normal.</DIV><DIV> </DIV><DIV>Configuring SSL VPN shouldn't affect your site-to-site tunnels at all. You can implement SSL VPN on an existing group-policy and tunnel-group used for IPSec Client VPN if you wish.</DIV><DIV> </DIV><DIV>Hope that helps.</DIV><DIV> </DIV><DIV>James</DIV><DIV> </DIV><DIV> </DIV><P></P></DIV><P></P></BODY></HTML> Sun, 13 Dec 2009 00:39:27 GMT https://community.cisco.com/t5/network-security/static-nat-to-ftp-server-asa5505/m-p/1376385#M784604 busterswt 2009-12-13T00:39:27Z