https://community.cisco.com/t5/network-security/basic-nat-rule-newbie/m-p/1013700#M937320 <HTML><HEAD></HEAD><BODY><P>Also I think you have the static rule the wrong way round:</P><P></P><P>static (inside,outside) 194.250.0.50 190.100.100.102 netmask 255.255.255.255 </P><P></P><P>At least that is how we do it here.</P></BODY></HTML> Fri, 23 May 2008 11:11:12 GMT jigsaw2026 2008-05-23T11:11:12Z https://community.cisco.com/t5/network-security/basic-nat-rule-newbie/m-p/1013696#M937302 <P>Hi all,</P><P>I am a newbie for cisco pics and I wanted to add abasic NAT rule to my firewall to allow and redirect FTP requests from internet to one of my public adresses</P><P>194.250.0.50 to an internal computer 190.100.100.102.</P><P>using the web interface I added one nat rule: </P><P>static (outside,inside) 190.100.100.102 194.250.0.50 netmask 255.255.255.255 0 0 </P><P>and allow incoming ftp requests:</P><P>access-list outside_access_in permit tcp host 190.100.100.102 eq ftp host 194.50.0.0 eq ftp </P><P></P><P>proxy arp is enabled</P><P>but when trying to connect from outside to 194.250.0.50 is denied</P><P>here is what I got in the log:</P><P>106023:Deny tcp src 195.115.153.23x/xxxx dst inside:ftpexternal/21 by access-group "outside_access_in"</P><P></P><P>ftpexternal stands for 194.250.0.50</P><P>Look's like my rule is not correct .</P><P>Can any one help me on the matter ?</P> Mon, 11 Mar 2019 12:48:45 GMT https://community.cisco.com/t5/network-security/basic-nat-rule-newbie/m-p/1013696#M937302 paul.lahitte 2019-03-11T12:48:45Z https://community.cisco.com/t5/network-security/basic-nat-rule-newbie/m-p/1013697#M937306 <HTML><HEAD></HEAD><BODY><P>Looks to me like your ACL is wrong - is should be:</P><P></P><P>access-list outside_access_in permit tcp host 195.115.153.23x host 194.250.0.50 eq ftp</P><P></P><P>That's assuming that you only want access from that one external host - you can have any host or network in there.</P><P></P><P>You don't need an ACL from 190.100.100.102 to 194.250 (in any case your ACL was referencing 194.50.0.0).</P><P></P></BODY></HTML> Fri, 23 May 2008 09:59:23 GMT https://community.cisco.com/t5/network-security/basic-nat-rule-newbie/m-p/1013697#M937306 jigsaw2026 2008-05-23T09:59:23Z https://community.cisco.com/t5/network-security/basic-nat-rule-newbie/m-p/1013698#M937311 <HTML><HEAD></HEAD><BODY><P></P><P>Thank's</P><P>I just want any network being able to connect to 194.250.0.50 using ftp .</P></BODY></HTML> Fri, 23 May 2008 10:53:07 GMT https://community.cisco.com/t5/network-security/basic-nat-rule-newbie/m-p/1013698#M937311 paul.lahitte 2008-05-23T10:53:07Z https://community.cisco.com/t5/network-security/basic-nat-rule-newbie/m-p/1013699#M937315 <HTML><HEAD></HEAD><BODY><P>So then:</P><P></P><P>access-list outside_access_in permit tcp any host 194.250.0.50 eq ftp </P></BODY></HTML> Fri, 23 May 2008 11:08:34 GMT https://community.cisco.com/t5/network-security/basic-nat-rule-newbie/m-p/1013699#M937315 jigsaw2026 2008-05-23T11:08:34Z https://community.cisco.com/t5/network-security/basic-nat-rule-newbie/m-p/1013700#M937320 <HTML><HEAD></HEAD><BODY><P>Also I think you have the static rule the wrong way round:</P><P></P><P>static (inside,outside) 194.250.0.50 190.100.100.102 netmask 255.255.255.255 </P><P></P><P>At least that is how we do it here.</P></BODY></HTML> Fri, 23 May 2008 11:11:12 GMT https://community.cisco.com/t5/network-security/basic-nat-rule-newbie/m-p/1013700#M937320 jigsaw2026 2008-05-23T11:11:12Z https://community.cisco.com/t5/network-security/basic-nat-rule-newbie/m-p/1013701#M937323 <HTML><HEAD></HEAD><BODY><P>thank's it is working</P><P>thank's lot again </P></BODY></HTML> Fri, 23 May 2008 11:53:22 GMT https://community.cisco.com/t5/network-security/basic-nat-rule-newbie/m-p/1013701#M937323 paul.lahitte 2008-05-23T11:53:22Z