PAT configuration issue

emmaknight · ‎06-23-2015

Hi all,

First a little background on what I'm trying to do. I have a webserver in my DMZ running two FTP sites, one on port 21 and one on port 24. The ftp server running on port 21 is working fine, however I am having issues configuring my ASA5505 for PAT on port 24. Basically I want end users to access both sites on port 21, and the firewall to translate based on the incoming IP address.

I have multiple public IP addresses on my external interface, and I have configured my web server to have multiple IP addresses as well.

Static NAT rules are below:

static (dmz,Internet) tcp interface ftp 172.16.1.6 ftp netmask 255.255.255.255
static (dmz,Internet) tcp TPG_IP_4 24 172.16.1.7 ftp netmask 255.255.255.255

However when I attempt to access the ftp server running on port 24 it doesn't connect, with the following error logged (masked IP address with x):

4

Jun 24 2015

12:45:02

124.168.x.x

51903

TPG_IP_4

21

Duplicate TCP SYN from Internet:124.168.x.x/51903 to Internet:TPG_IP_4/21 with different initial sequence number

Can anyone tell me what I'm missing? Or is this configuration not possible? I have many other NAT translations working with different public IP addresses on the external interface, however this is the first one I have tried to configure PAT for. This is my first post so please let me know if I need to provide more information.

Thanks.

Rishabh Seth · ‎06-24-2015

Hi,

>> create a service object for ftp on port 24 (eg service name: ftp-24)

>> edit nat to map real service on port 24 to mapped port 21.

static (dmz,Internet) tcp TPG_IP_4 24 ftp-24 172.16.1.7 ftp netmask 255.255.255.255

>> As ftp is working on a different port, so we need to make ASA perform ftp inspection for traffic on port 24 as well.

++ create a class map to match traffic on port 24.

ciscoasa(config)# class-map ftp-24-class

ciscoasa(config-cmap)# match port tcp eq 24

++ Use this new class map in policy map and apply inpection for ftp.

          ciscoasa(config)# policy-map global_policy
          ciscoasa(config-pmap)# class ftp-24-class
          ciscoasa(config-pmap-c)# inspect ftp

Hope it helps!!!

emmaknight · ‎06-24-2015

Thanks for the quick reply. I'm running ASA 8.2 which doesn't seem to have the option to add a service object, only a service object group which I then can't add to my NAT rule. Is there another way to do this?

I've setup the ftp inspection as described but still experiencing the same issue.

Rishabh Seth · ‎06-24-2015

Try it without the service object. I think it is just the missing inspection which is breaking FTP access.

-------------------------------------------------------------------------------------------------------------------

static (dmz,Internet) tcp TPG_IP_4 24 172.16.1.7 ftp netmask 255.255.255.255