11-24-2015 09:59 AM - edited 03-11-2019 11:56 PM
Hi Guys,
Im trying to allow FTP traffic into my Synology FTP server from the WAN into the LAN, when I simulate this on Packet tracer it says traffic is allowed but this is not true when I test it, I have ios 9.1(5), when I have a look at Syslog I cannot see any FTP traffic coming trough my firewall, neither can see FTP traffic when I do a capture,the ISO says FTP traffic is allowed but I canno see any traces of it touching the firewall, this is driving me mad
[[{"type":"media","fid":"1221681","view_mode":"default","link_text":null,"attributes":{"alt":"Packet tracer","title":"Packet tracer","height":"656","width":"1065","class":"image-style-none media-element file-default"}}]]
Solved! Go to Solution.
11-25-2015 08:14 AM
Hi,
You can try following manual NAT rule:
object service ftp
service tcp source eq ftp
object network Synology
host 192.168.10.9
nat (VoipIt_Production,VodafoneTrunk) 1 source static Synology interface service ftp ftp
Hope it helps!!!
Thanks,
RS
11-25-2015 10:06 AM
Yes you can do it, try following:
object service ftp
service tcp source eq ftp
object service ftp-5555
service tcp source eq 5555
object network Synology
host 192.168.10.9
nat (VoipIt_Production,VodafoneTrunk) 1 source static Synology interface service ftp ftp-5555
Hope it helps!!!
11-24-2015 10:21 AM
Hi Hugo,
I would suggest you to check if ftp inspection is enabled or not. In case you are using passive ftp to connect to the server behind ASA and you are using NAT then enable ftp inspection.
You have also mentioned that you not receiving any traffic. So do you mean that you do not even see SYN packet in captures? If this is the case then check upstreams devices and configure proper routing to route traffic to ASA.
Thanks
Rishabh Seth
PS: Rate if it helps
11-24-2015 10:27 AM
HI Rishabh,
Thanks for your answer, I have tried both ways, FTP inspection and without FTP being inspected, regarding the SYN packets I cannot see any of them when I build a filter for port 21.
The firewall is facing the Internet directly and is has a trunk beteween an ONT (fibre) and one of the firewall ports, could that have any influence on the way traffic comes in?
Outbound connections work fine.
11-24-2015 10:46 AM
If it comes from the WAN, I assume that it comes from the internet, is this correct?
Now if this is true, the 192.168.10.9 should be translated to something public. That being said, the IP address on the packet tracer is wrong. It should be the public IP address of 192.168.10.9.
Do the packet tracer again using the public. If you were using the sniffers (captures) using the same IP 192.168.10.9, that would be the reason why you were not seeing any traffic.
Anything that hits the public interface, will contain a public IP no matter if we changed to this new method (post NAT acl) the packets will still arrive with a public destination IP.
Let me know how it goes.
Mike.
11-24-2015 10:53 AM
Hi Maykol,
Thanks for your response.
What I am trying to emulate is traffic coming from the outside interface (Vodafonetrunk) from a public Ip address (8.8.8.8) to the Vlan configured on my Lan (192.168.10.9) on port 21 on both ends, when traffic hits the firewall the public IP gets translated to an internal IP, as you can see from the show run.
Please let me knwo what can I try and I will put it in place.
Regards
H
11-24-2015 11:13 AM
On that packet tracer I can see a NAT phase.
In order to even simulate the traffic coming from 8.8.8.8, you should translate that host 192.168.10.9 to a public IP to be accesible or redirect the ports when it hits a public IP on the Vodafone interface.
Mike.
11-24-2015 02:23 PM
HI Maykol,
Thank you for your response
I think that is what I am doing at the moment with the following commands:
object network Incoming_traffic
host 192.168.10.8
nat (VodafoneTrunk,VoipIt_Production) source dynamic any Incoming_traffic destination static Synology Synology service FTP FTP
When it hits the vodafone trunk interface it translates it to an internal ip
Regards
11-24-2015 09:00 PM
Hi Hugo,
If your server is listening on port 21 behind Vodafone trunk interface and traffic will be hitting Voiplt_Production and you want to translate traffic on public IP to private generated by any host then you can create following NAT:
object network Incoming_traffic
host 192.168.10.8
nat (VodafoneTrunk,VoipIt_Production) static <public IP> service TCP 21 21
If you are creating NAT for specific users who will be accessing ftp server then you can write a manual NAT.
NAT (vodavoip) source static <real-ip-of-ftp-server> <mapped -ip-of-ftp-server> service ftp ftp destination static <object-forspecific-user> <object-forspecific-user>
Hope it helps.
Thanks,
RS
11-25-2015 02:48 AM
Hi Rishabh,
Once again thanks for your response.
I applied the commands recommended,I left the ACL's in place, the ACL's say that any traffic hiting the VodafoneTrunk interface on port 21 will be forward to the FTP server (192.168.10.9).
The commands did not work unfortunatelly:
object network Incoming_traffic
host 192.168.10.9 - FTP server
nat (VodafoneTrunk,VoipIt_Production) static <public IP> service TCP 21 21
Do I need an ACL at the end of this statement?
Regards
11-25-2015 03:09 AM
Hi Hugo,
Did you replace <publicIp> with actual public IP of the FTP server?
If you did replace it, then what do you see in the packet-tracer?
object network Incoming_traffic
host 192.168.10.9 - FTP server
nat (VodafoneTrunk,VoipIt_Production) static <public IP> service TCP FTP FTP << replace <pulic IP> with public IP of the server,
Thanks,
Rishabh Seth
11-25-2015 03:20 AM
Hi Rishabh,
Thanks for your response.
Let's say my current public IP is 1.1.1.1 and my FTP server is 192.168.10.9:
object network Incoming_traffic
host 192.168.10.9
nat (VodafoneTrunk,VoipIt_Production) static 1.1.1.1 service TCP 21 21
With these commands I cannot access my FTP server from outside.
These are the command I used on the firewall, will I need to apply any ACL's into it?
Regards
11-25-2015 03:54 AM
Hi Hugo,
You will require ACL to permit traffic for 192.168.10.9 on port 21 from outside interface.
Also check the packet-tracer output and see if this NAT rule getting evaluated or not. Check if you have any manual nat rule that might shadow this rule.
Thanks,
Rishabh Seth
11-25-2015 04:59 AM
Hi Rishabh,
Thanks for your response, this is the commands I have applied o the asa:
1.1.1.1 = My external IP
object network Synology
host 192.168.10.9
nat (VodafoneTrunk,VoipIt_Production) static 1.1.1.1 service TCP 21 21
access-list 100 extended permit tcp any host 192.168.10.9 eq ftp
access-group 100 in interface vodafonetrunk
This is not doing the job, also shouldn't the NAT rule be the other way arround like:
nat (VoipIt_Production,VodafoneTrunk) static 1.1.1.1 service TCP 21 21
I am on IOS 9.1(5)
Regards
11-25-2015 04:59 AM
Is the Vodafone Trunk interface public facing? If yes then NAT should look like:
nat (VoipIt_Production,VodafoneTrunk) static 93.38.108.10 service TCP 21 21
I assumed that VodafoneTrunk is internal interface. Correct me if my understanding is wrong.
Thanks,
RS.
11-25-2015 06:08 AM
Hi Rishabh,
By putting that command I am sayng that only the external IP 93.38.108.10 can FTP in, should I not put:
nat (VoipIt_Production,VodafoneTrunk) static 93.38.108.10 service TCP 21 21, and also when I do the packet tracer this is the output:
This is drivng me mad now :(
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide