Solved: Re: Confusing NAT statements

Brad_Shawh · ‎05-29-2020

I have a dmz server, listening on port 21, I want this server to be accessible from internet.

Here are my options:

1)

nat (dmz,outside) source static ftp_10.20.30.40 x.x.x.x(publicIP) service FTP_21 FTP_21

^^ Does NOT work.

=============================================================

2)

object network ftp_10.20.30.40
host 10.20.30.40
nat (dmz,outside) static x.x.x.x(PublicIP) service tcp ftp ftp

^^^ Works.

What is wrong with 1??? I am clueless. I have exact same NAT statement for another server (option 3) listening on a different port and it works.

3) nat (dmz,outside) source static 10.20.30.41 y.y.y.y(PublicIP) service 2222 2222

Maykol Rojas · ‎05-29-2020

Hello,

It would be probable due to the type of service you are using to identify the port object. When you define the service object for port 21, is that using source? or Dest?

Mike.

Mike

View solution in original post

Maykol Rojas · ‎05-30-2020

Hello;

It can be confusing because your clients are actually using port 21 as destination, but if you see it closely, the Server will be always using port 21 as source for the replies.

From a client initiating the conn (Initiating SYN):
Client--RandomSourcePort--Firewall--Server---Port 21.

When the server replies, it would look like this (Reply SYN-ACK):
Port21--Server ---Firewall---RandomSourcePort--Client .

For the firewall logic, it would statically map whatever that comes source on port 21 to the NAT address. That would allow anyone to send packets to that global IP and the firewall knows that if the source port is 21 (it will always be when the server replies) it will NAT it.

Hope it helps.

Mike

View solution in original post

Maykol Rojas · ‎05-29-2020

Hello,

It would be probable due to the type of service you are using to identify the port object. When you define the service object for port 21, is that using source? or Dest?

Mike.

Mike

Brad_Shawh · ‎05-30-2020

Thank you.

I was using destination ports, but should it not be destination port 21 and not source? How does this work?

Maykol Rojas · ‎05-30-2020

Hello;

It can be confusing because your clients are actually using port 21 as destination, but if you see it closely, the Server will be always using port 21 as source for the replies.

From a client initiating the conn (Initiating SYN):
Client--RandomSourcePort--Firewall--Server---Port 21.

When the server replies, it would look like this (Reply SYN-ACK):
Port21--Server ---Firewall---RandomSourcePort--Client .

For the firewall logic, it would statically map whatever that comes source on port 21 to the NAT address. That would allow anyone to send packets to that global IP and the firewall knows that if the source port is 21 (it will always be when the server replies) it will NAT it.

Hope it helps.

Mike

Brad_Shawh · ‎06-08-2020

Thank you for the explanation :)