cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

330
Views
0
Helpful
4
Replies
Highlighted
Beginner

Confusing NAT statements

I have a dmz server, listening on port 21, I want this server to be accessible from internet. 

 

Here are my options:

1)

 

nat (dmz,outside) source static ftp_10.20.30.40 x.x.x.x(publicIP) service FTP_21 FTP_21

 

^^ Does NOT work.

 

=============================================================

2)

object network ftp_10.20.30.40
host 10.20.30.40
nat (dmz,outside) static x.x.x.x(PublicIP) service tcp ftp ftp

 

^^^ Works.

 

What is wrong with 1??? I am clueless. I have exact same NAT statement for another server (option 3) listening on a different port and it works.

 

3) nat (dmz,outside) source static 10.20.30.41 y.y.y.y(PublicIP) service 2222 2222

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Cisco Employee

Re: Confusing NAT statements

Hello,

It would be probable due to the type of service you are using to identify the port object. When you define the service object for port 21, is that using source? or Dest?

Mike.
Mike

View solution in original post

Highlighted
Cisco Employee

Re: Confusing NAT statements

Hello;

It can be confusing because your clients are actually using port 21 as destination, but if you see it closely, the Server will be always using port 21 as source for the replies.

From a client initiating the conn (Initiating SYN):
Client--RandomSourcePort--Firewall--Server---Port 21.

When the server replies, it would look like this (Reply SYN-ACK):
Port21--Server ---Firewall---RandomSourcePort--Client .

For the firewall logic, it would statically map whatever that comes source on port 21 to the NAT address. That would allow anyone to send packets to that global IP and the firewall knows that if the source port is 21 (it will always be when the server replies) it will NAT it.

Hope it helps.
Mike

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Re: Confusing NAT statements

Hello,

It would be probable due to the type of service you are using to identify the port object. When you define the service object for port 21, is that using source? or Dest?

Mike.
Mike

View solution in original post

Highlighted
Beginner

Re: Confusing NAT statements

Thank you.

 

I was using destination ports, but should it not be destination port 21 and not source? How does this work?

Highlighted
Cisco Employee

Re: Confusing NAT statements

Hello;

It can be confusing because your clients are actually using port 21 as destination, but if you see it closely, the Server will be always using port 21 as source for the replies.

From a client initiating the conn (Initiating SYN):
Client--RandomSourcePort--Firewall--Server---Port 21.

When the server replies, it would look like this (Reply SYN-ACK):
Port21--Server ---Firewall---RandomSourcePort--Client .

For the firewall logic, it would statically map whatever that comes source on port 21 to the NAT address. That would allow anyone to send packets to that global IP and the firewall knows that if the source port is 21 (it will always be when the server replies) it will NAT it.

Hope it helps.
Mike

View solution in original post

Highlighted
Beginner

Re: Confusing NAT statements

Thank you for the explanation :)