- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2010 03:02 AM - edited 03-11-2019 10:40 AM
Hi,
I have a ftp server in my inside zone of ASA, One of my application team needed to access that ftp server in the inside interface with the Public IP. If they were using a url for that I could have used "dns doctoring". I tried with the following NAT
static (inside, inside) <localip> <publicip>
but ASA thinking that it is an attack
Note: Both Client and FTP server are in the same network hence the zone which is inside.
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2010 03:32 AM
Correct, if you already have NAT statement on that interface, then you would need the global (inside) command. Otherwise, if there is no NAT statement at all on that interface, you can disable nat-control, and the connection would work.
Also, if you have ACL assigned to the inside interface, you would need to allow the traffic:
access-list

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2010 03:05 AM
It should be as follows:
static (inside, inside)
global (inside) 1 interface
same-security-traffic permit intra-interface
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2010 03:14 AM
Nat syntax is ilike
nat (real int, mapped int) mapped ip real ip netmask
in my case I want to replace my public ip with my local ip, what is the logic behind static (inside, inside)
Also pls let me know why we require the following??
global (inside) 1 interface
This is just to clear my understanding!!!

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2010 03:21 AM
For normal static (inside,outside) statement, you would configure the following: static (inside,outside)
You are trying to reach the public ip, so the first ip address in the static statement should be the public-ip, and the second ip is the local-ip.
The reason why you need "global (inside) 1 interface" is you still need translation for the source address which is your internal host. The static statement above is for destination translation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2010 03:28 AM

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2010 03:32 AM
Correct, if you already have NAT statement on that interface, then you would need the global (inside) command. Otherwise, if there is no NAT statement at all on that interface, you can disable nat-control, and the connection would work.
Also, if you have ACL assigned to the inside interface, you would need to allow the traffic:
access-list
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-04-2010 03:33 AM
Thanks a lot.. Let me try now!!!
