06-23-2015 08:01 PM - edited 03-11-2019 11:10 PM
Hi all,
First a little background on what I'm trying to do. I have a webserver in my DMZ running two FTP sites, one on port 21 and one on port 24. The ftp server running on port 21 is working fine, however I am having issues configuring my ASA5505 for PAT on port 24. Basically I want end users to access both sites on port 21, and the firewall to translate based on the incoming IP address.
I have multiple public IP addresses on my external interface, and I have configured my web server to have multiple IP addresses as well.
Static NAT rules are below:
static (dmz,Internet) tcp interface ftp 172.16.1.6 ftp netmask 255.255.255.255
static (dmz,Internet) tcp TPG_IP_4 24 172.16.1.7 ftp netmask 255.255.255.255
However when I attempt to access the ftp server running on port 24 it doesn't connect, with the following error logged (masked IP address with x):
4 | Jun 24 2015 | 12:45:02 | 124.168.x.x | 51903 | TPG_IP_4 | 21 | Duplicate TCP SYN from Internet:124.168.x.x/51903 to Internet:TPG_IP_4/21 with different initial sequence number |
Can anyone tell me what I'm missing? Or is this configuration not possible? I have many other NAT translations working with different public IP addresses on the external interface, however this is the first one I have tried to configure PAT for. This is my first post so please let me know if I need to provide more information.
Thanks.
06-24-2015 12:22 AM
Hi,
>> create a service object for ftp on port 24 (eg service name: ftp-24)
>> edit nat to map real service on port 24 to mapped port 21.
static (dmz,Internet) tcp TPG_IP_4 24 ftp-24 172.16.1.7 ftp netmask 255.255.255.255
>> As ftp is working on a different port, so we need to make ASA perform ftp inspection for traffic on port 24 as well.
++ create a class map to match traffic on port 24.
ciscoasa(config)# class-map ftp-24-class
ciscoasa(config-cmap)# match port tcp eq 24
++ Use this new class map in policy map and apply inpection for ftp.
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class ftp-24-class
ciscoasa(config-pmap-c)# inspect ftp
Hope it helps!!!
06-24-2015 04:01 AM
Thanks for the quick reply. I'm running ASA 8.2 which doesn't seem to have the option to add a service object, only a service object group which I then can't add to my NAT rule. Is there another way to do this?
I've setup the ftp inspection as described but still experiencing the same issue.
06-24-2015 11:56 AM
Try it without the service object. I think it is just the missing inspection which is breaking FTP access.
-------------------------------------------------------------------------------------------------------------------
static (dmz,Internet) tcp TPG_IP_4 24 172.16.1.7 ftp netmask 255.255.255.255
>> As ftp is working on a different port, so we need to make ASA perform ftp inspection for traffic on port 24 as well.
++ create a class map to match traffic on port 24.
ciscoasa(config)# class-map ftp-24-class
ciscoasa(config-cmap)# match port tcp eq 24
++ Use this new class map in policy map and apply inpection for ftp.
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class ftp-24-class
ciscoasa(config-pmap-c)# inspect ftp
Thanks,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: