Re: Cant get NAT Loopback working (access FTP on outside IP from inside)

Kortermann-IT ApS · ‎11-26-2020

Hello

I have some issues to make nat loopback. How do i do that?

Lets say i have local FTP server: 192.168.2.200

I can access that local, and through my NAT from outside: 92.55.67.12.

But if im on my local network 192.168.2.x/24, i cant access FTP on 92.55.67.12, because i need nat loopback.

Running ASA software on firepower 1010.

How to solve?

Kortermann-IT ApS · ‎11-26-2020

NAT, cisco, firewall, firepower, Cisco Adaptive Security Appliance (ASA)

Marius Gunnerud · ‎11-26-2020

You can add the dns keyword to the end of the NAT statement. When DNS replies enter the ASA for lookups to the FTP server the ASA checks the NAT table to see if there are any entries that match the public IP. If it finds a NAT statement and the DNS keyword is added, the public IP will be re-written to the private IP and then the client can access the server using the private IP. Remember that this will require an access list entry allowing access to the private IP if the client and the FTP server are located off of separate interfaces on the ASA.

--
Please remember to select a correct answer and rate helpful posts

Kortermann-IT ApS · ‎11-26-2020

Thanks.

Can you maybe help with a command?

Marius Gunnerud · ‎11-26-2020

object network FTP_SERVER

host 192.168.2.200

nat (inside,outside) static 92.55.67.12 dns

--
Please remember to select a correct answer and rate helpful posts

Kortermann-IT ApS · ‎11-26-2020

Thanks.

I got this error:

Result of the command: "object network FTP_SERVER"

The command has been sent to the device

Result of the command: "host 192.168.11.219"

The command has been sent to the device

Result of the command: "nat (inside,outside) static 212.98.71.90 dns"

ERROR: Address 212.98.71.90 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

Marius Gunnerud · ‎11-27-2020

If you are using the outside interface IP then you need to use the interface keyword instead of the IP address. Be careful when doing this though as you will break all other internet traffic other than the FTP server if using the same IP for internet traffic. If you do not have a spare IP and you have other devices that need access to the internet your best bet would be to use twice nat.

for example (I would recommend replace the any any with object groups for your local lan or host that is to access the FTP server)

object network FTP_SERVER

host 192.168.2.200

nat (inside,inside) source static any any destination static interface FTP_SERVER

--
Please remember to select a correct answer and rate helpful posts

Kortermann-IT ApS · ‎11-27-2020

How should the any any be?

I have all my clients on 192.168.11.0/24.

FTP server: 192.168.11.219

Public IP: 212.98.71.90

Kortermann-IT ApS · ‎11-27-2020

Im using this rule today:

object network VM-RDS-01
nat (inside,outside) static interface service tcp 3389 3389

Which is working from outside, but not from inside..

Marius Gunnerud · ‎11-27-2020

You could try the following:

object network FTP_SERVER

host 192.168.11.219

object network LAN

subnet 192.168.11.0 255.255.255.0

object network LAN-NAT

host 1.2.3.4

nat (inside,inside) source static LAN LAN-NAT destination static interface FTP_SERVER

The LAN-NAT object is required since your FTP and hosts are on the same network and you will end up with asynchronous routing if you have LAN LAN (traffic flow would be host --> ASA --> FTP -->host) and since the ASA does not see the return traffic from the FTP all other traffic in that flow will be dropped. You could define a completely different subnet for the source also for example:

object network LAN-NAT

subnet 192.168.12.0 255.255.255.0

and as long as that subnet is routed towards the ASA NAT will take care of the rest.

--
Please remember to select a correct answer and rate helpful posts