HI Rishabh,

Thanks for your answer, I have tried both ways, FTP inspection and without FTP being inspected, regarding the SYN packets I cannot see any of them when I build a filter for port 21.

The firewall is facing the Internet directly and is has a trunk beteween an ONT (fibre) and one of the firewall ports, could that have any influence on the way traffic comes in?

Outbound connections work fine.

If it comes from the WAN, I assume that it comes from the internet, is this correct? 

Now if this is true, the 192.168.10.9 should be translated to something public. That being said, the IP address on the packet tracer is wrong. It should be the public IP address of 192.168.10.9. 

Do the packet tracer again using the public. If you were using the sniffers (captures) using the same IP 192.168.10.9, that would be the reason why you were not seeing any traffic. 

Anything that hits the public interface, will contain a public IP no matter if we changed to this new method (post NAT acl) the packets will still arrive with a public destination IP. 

Let me know how it goes. 

Mike. 

Hi Maykol,

Thanks for your response.

What I am trying to emulate is traffic coming from the outside interface (Vodafonetrunk) from a public Ip address (8.8.8.8) to the Vlan configured on my Lan (192.168.10.9) on port 21 on both ends, when traffic hits the firewall the public IP gets translated to an internal IP, as you can see from the show run.

Please let me knwo what can I try and I will put it in place.

Regards

H 

On that packet tracer I can see a NAT phase. 

In order to even simulate the traffic coming from 8.8.8.8, you should translate that host 192.168.10.9 to a public IP to be accesible or redirect the ports when it hits a public IP on the Vodafone interface. 

Mike. 

HI Maykol,

Thank you for your response

I think that is what I am doing at the moment with the following commands:

object network Incoming_traffic
host 192.168.10.8

nat (VodafoneTrunk,VoipIt_Production) source dynamic any Incoming_traffic destination static Synology Synology service FTP FTP

When it hits the vodafone trunk interface it translates it to an internal ip

Regards

Hi Hugo,

If your server is listening on port 21 behind Vodafone trunk interface and traffic will be hitting Voiplt_Production and you want to translate traffic on public IP to private generated by any host then you can create following NAT:

object network Incoming_traffic
host 192.168.10.8

nat (VodafoneTrunk,VoipIt_Production) static <public IP> service TCP 21 21

If you are creating NAT for specific users who will be accessing ftp server then you can write a manual NAT.

NAT (vodavoip)  source static <real-ip-of-ftp-server> <mapped -ip-of-ftp-server> service ftp ftp destination static <object-forspecific-user> <object-forspecific-user>

Hope it helps.

Thanks,

RS

Hi Rishabh,

Once again thanks for your response.

I applied the commands recommended,I left the ACL's in place, the ACL's say that any traffic hiting the VodafoneTrunk interface on port 21 will be forward to the FTP server (192.168.10.9).

The commands did not work unfortunatelly:

object network Incoming_traffic
host 192.168.10.9 - FTP server

nat (VodafoneTrunk,VoipIt_Production) static <public IP> service TCP 21 21

Do I need an ACL at the end of this statement?

Regards

Hi Hugo,

Did you replace <publicIp> with actual public IP of the FTP server?

If you did replace it, then what do you see in the packet-tracer?

object network Incoming_traffic
host 192.168.10.9 - FTP server

nat (VodafoneTrunk,VoipIt_Production) static <public IP> service TCP FTP FTP << replace <pulic IP> with public IP of the server,

Thanks,

Rishabh Seth

Hi Rishabh,

Thanks for your response.

Let's say my current public IP is 1.1.1.1 and my FTP server is 192.168.10.9:

object network Incoming_traffic
host 192.168.10.9

nat (VodafoneTrunk,VoipIt_Production) static 1.1.1.1 service TCP 21 21

With these commands I cannot access my FTP server from outside.

These are the command I used on the firewall, will I need to apply any ACL's into it?

Regards

Hi Hugo,

You will require ACL to permit traffic for 192.168.10.9 on port 21 from outside interface.

Also check the packet-tracer output and see if this NAT rule getting evaluated or not. Check if you have any manual nat rule that might shadow this rule.

Thanks,

Rishabh Seth

Hi Rishabh,

Thanks for your response, this is the commands I have applied o the asa:

1.1.1.1 = My external IP 

object network Synology
host 192.168.10.9

nat (VodafoneTrunk,VoipIt_Production) static 1.1.1.1 service TCP 21 21

access-list 100 extended permit tcp any host 192.168.10.9 eq ftp

access-group 100 in interface vodafonetrunk

This is not doing the job, also shouldn't the NAT rule be the other way arround like:

nat (VoipIt_Production,VodafoneTrunk) static 1.1.1.1 service TCP 21 21

I am on IOS 9.1(5)

Regards

Is the Vodafone Trunk interface public facing? If yes then NAT should look like:

nat (VoipIt_Production,VodafoneTrunk) static 93.38.108.10 service TCP 21 21

I assumed that VodafoneTrunk is internal interface. Correct me if my understanding is wrong.

Thanks,

RS.

Hi Rishabh,

By putting that command I am sayng that only the external IP 93.38.108.10 can FTP in, should I not put:

nat (VoipIt_Production,VodafoneTrunk) static 93.38.108.10 service TCP 21 21, and also when I do the packet tracer this is the output:

This is drivng me mad now :(