Solved: Yes you can do it, try - Page 2

Hugo Rosado · ‎11-24-2015

Hi Guys,

Im trying to allow FTP traffic into my Synology FTP server from the WAN into the LAN, when I simulate this on Packet tracer it says traffic is allowed but this is not true when I test it, I have ios 9.1(5), when I have a look at Syslog I cannot see any FTP traffic coming trough my firewall, neither can see FTP traffic when I do a capture,the ISO says FTP traffic is allowed but I canno see any traces of it touching the firewall, this is driving me mad

[[{"type":"media","fid":"1221681","view_mode":"default","link_text":null,"attributes":{"alt":"Packet tracer","title":"Packet tracer","height":"656","width":"1065","class":"image-style-none media-element file-default"}}]]

Rishabh Seth · ‎11-25-2015

Hi Hugo,

I know this is a small config and there have been many comments on this discussion, just to ensure we are on same page please provide following details:

>> Name of the interface behind which your FTP server is placed.

>> Name of the interface from where traffic will enter firewall.

>> Is the Public IP of FTP server is same as Public IP configured on ASA interface?

>> What is the IP address of the internal host?

>> Do you want to permit access to this FTP server to specific hosts or any hosts?

If you want to test packet tracer for source IP as 8.8.8.8 and destination IP as FTP server's Public IP then use:

Source IP as <IP of source> destination IP as <Public IP of FTP server.>

Thanks,

RS

Hugo Rosado · ‎11-25-2015

Hi Rishabh,

Thanks for all your helpfull answers:

>> Name of the interface behind which your FTP server is placed - VoipIt_Production, network 192.168.10.0 range

>> Name of the interface from where traffic will enter firewall - VodafoneTrunk

>> Is the Public IP of FTP server is same as Public IP configured on ASA interface? According to the nat rules yes

>> What is the IP address of the internal host? - 192.168.10.9

>> Do you want to permit access to this FTP server to specific hosts or any hosts? Any hosts

Regards

Rishabh Seth · ‎11-25-2015

Hi,

You can try following manual NAT rule:

object service ftp
service tcp source eq ftp

object network Synology
host 192.168.10.9

nat (VoipIt_Production,VodafoneTrunk) 1 source static Synology interface service ftp ftp

Hope it helps!!!

Thanks,

RS

Hugo Rosado · ‎11-25-2015

Rishabh you are the man, many thanks this worked perfectly.

Hugo Rosado · ‎11-25-2015

Hi,

Many thanks for all your help, can I just ask one last question?

I would like the ftp traffic to come in on port 5555 and to be translated to port 21 and to be sent to the FTP server, is this possible?

Once again many thanks for all your assistance!

Regards

Rishabh Seth · ‎11-25-2015

Yes you can do it, try following:

object service ftp
service tcp source eq ftp

object service ftp-5555
service tcp source eq 5555

object network Synology
host 192.168.10.9

nat (VoipIt_Production,VodafoneTrunk) 1 source static Synology interface service ftp ftp-5555

Hope it helps!!!

Hugo Rosado · ‎11-25-2015

VoipIt# packet-tracer input vodafoneTrunk tcp 8.8.8.8 21 192.168.10.9 21

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.10.0 255.255.255.0 VoipIt_Production

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 VodafoneTrunk

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group 100 in interface VodafoneTrunk

access-list 100 extended permit tcp any host 192.168.10.9 eq ftp

Additional Information:

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (VoipIt_Production,VodafoneTrunk) source dynamic any interface

Additional Information:

Result:

input-interface: VodafoneTrunk

input-status: up

input-line-status: up

output-interface: VoipIt_Production

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

FTP ALLOWED