Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
909
Views
10
Helpful
5
Replies

Can't Access Translated Public FTP server via Internal Network

geloangelo00
Level 1
Level 1

‎01-04-2016 10:41 PM - edited ‎03-12-2019 12:06 AM

Hi Cisco Support,

Greetings and Happy New year!

Is it possible from internal users can access the translated public ftp server? The ASA itself translate the internal FTP to public. The client wants to access the FTP server using Public IP even they're on the internal network. Hope your prompt response as soonest.

Thank you and Have a great day!

Regards,

Gelo

Labels:
0 Helpful
5 Replies 5

Shivapramod M
Level 1
Level 1

‎01-04-2016 10:54 PM

Hi Gelo,

As per my understanding inside users would like to access the server from the public IP. If your server and users who want to connect are in the same interface then you can configure a hair-pin NAT for this.

Below is the configuration template for OS version 8.3 and above.

nat (inside,inside) source dynamic <Private-Addresses object> interface destination static [PUBLIC-ADDRESS-OBJECT][[PRIVATE-ADDRESS-OBJECT]

Also you need to enable traffic between the same security level.
same-security-traffic permit intra-interface

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

geloangelo00
Level 1
Level 1
In response to Shivapramod M

‎01-04-2016 11:21 PM

Hi Shivap,

What do you mean by "<Private-Addresses object>" is this the whole subnet (192.168.1.0/24 for example)? and the "[PUBLIC-ADDRESS-OBJECT]" is this the translated public address of the ftp server(1.1.1.50 for example)?  Sorry if i misunderstood something about the natting thing.

Thank you

0 Helpful

Shivapramod M
Level 1
Level 1
In response to geloangelo00

‎01-04-2016 11:29 PM

Hi,

Yes, here is a sample configuration. change your IP address accordingly.

int Eth0/0
nameif outside
ip address 1.2.3.1 255.255.255.0
security-level 0

int Eth0/1
nameif inside
ip address 192.168.1.1 255.255.255.0
security-level 90

obj net obj-host-192.168.1.250
host 192.168.1.250

obj net obj-host-1.2.3.250
host 1.2.3.250
nat (inside,outside) static obj-host-192.168.1.250

nat (inside,inside) source dynamic any interface destination static obj-host-1.2.3.250 obj-host-192.168.1.250

here 192.168.1.250 is the server real IP and 1.2.3.250 is the public IP of the server

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

geloangelo00
Level 1
Level 1
In response to Shivapramod M

‎01-05-2016 12:54 AM

Hi again,

Is it ok for this configuration? I think you gave me is the reverse public to internal translation of the server. To make us understand is from internal to public translation.

obj net obj-host-192.168.1.250
host 192.168.1.250

nat (inside,outside) obj-host-1.2.3.250

obj net obj-host-1.2.3.250
host 1.2.3.250

nat (inside,inside) source dynamic any interface destination static obj-host-192.168.1.250 obj-host-1.2.3.250

 Thank you.

0 Helpful

bhavsha2
Cisco Employee
Cisco Employee

‎01-04-2016 11:11 PM

Hello,

yes it is possible. It is similar to Users accessing Internet. Make sure you are translating the Client ip address so that they could reach Internet. 

Are the users able to access Internet?

Run packet tracer and check where the connection is failing.

Regards,

Bhavik Shah

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card