Thanks.. for helping me out on this.

Hello,

Also the NAT you are doing is call Policy-Based NAT which is used for connections in this case from DMZ to outside not from Outside to DMZ.

You have to use a Static NAT rule for this.

If you only have one IP address then your option is:

Nat one of the internal servers port 21 to the public IP address of the firewall on port 21

The other server port 21 nat it to the same public IP address port 2121 for example AND enable FTP inspection over that non-standar port (2121). Then you could innitiate a FTP connection to 2121 and it will work as well with just 21.

Traffic will reach both servers.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Hi Julio..

Could you share config example for which you stated above.I will look for this.

Actually this ftp server will be access by our clients and they will access over internet. Problem is that we can not ask them to connect on port 2121(or any other port except 21), so is there any other way  we could find solution of this situation. 

If you can not connect to a different port externally then you must use a second public IP to connect to the second FTP server.  You have no other choice in this case.

The following configuration is what you would need.  The first line will use the outside interface IP and the second will use a different public IP.

static (inside,outside) tcp interface 21 10.120.11.10 21 netmask 255.255.255.255

static (inside,outside) tcp 173.17.3.20 21 10.120.11.11 21 netmask 255.255.255.255

--
Please remember to rate and select a correct answer

Hello Anukalp,

If there is no way for them to connect to other port the answer is no.

Another IP will be needed

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

HI Julio..

Still i will try to ask clients to make connections on other port since we dont have another ip but before this i need to have this config setup to work properly. So could you pls help in sharing config example. 

I have already provided the configurations you need in my previous post with regards to NAT.

You also need to configure an ACL rule that permits the traffic

access-list out-to-in extended permit tcp any eq 21

access-list out-to-in extended permit tcp any eq 21

access-group out-to-in in interface outside

--
Please remember to rate and select a correct answer

Hi Marius..

In you config example, you are using two public ip(interface IP & a another ip) but i need config example of natting two servers with single public ip but on different port as Julio mentioned above.

Yes I used two seperate IPs because you said it was not an option to connect to a different port externally.  If you are not able to use an external port other than 21 when connecting to the second FTP server then you MUST have a second IP. 

--
Please remember to rate and select a correct answer

Hello Marius,Aanukalp

The configuration required when running 8.2 or lower would be

static (inside,outside) tcp outside_ip 2121 private_ip 21

access-list outside_inside permit tcp any host outside_interface_ip eq 2121

access-list MPF_FTP permit tcp any host outside_interface_ip eq 2121

class-map FTP

match access-list MPF_FTP

policy-map global_policy

class FTP

inspect FTP

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Hi Julio, he mentioned that connecting to a port other than 21 is not an option.  Or did I missunderstand?

--
Please remember to rate and select a correct answer

Thanks Julio..for sharing config.