01-31-2012 03:55 AM - edited 03-11-2019 03:21 PM
Hi all,
i am first time using the new ASA IOS ( 8.4) and frankly i am in trouble
I have one PPPOE interface ( Ip assigned from DHCP) i want to use PAT on that interface and divert FTP traffic to the host inside
Can any one please help me in resolving this issue
I am using below command but unfortuntely it is not working
object network ftp_server
nat (inside,outside) static interface service tcp 21 21
access-list FTP_IN extended permit tcp any object ftp_server eq 21
access-group FTP_IN in interface outside
Sh xlate
TCP PAT from inside:172.16.93.12 21-21 to outside:83.x.x.x 21-21
flags sr idle 0:07:14 timeout 0:00:00
Below is the complete config
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 1
72.16.93.0 255.255.255.0 10.175.111.0 255.255.255.0
access-list inside_access_in extended permit ip 172.16.93.0 255.255.255.0 any
access-list DMZ_access_in extended permit ip 10.175.111.0 255.255.255.0 any
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any
172.16.93.0 255.255.255.0
access-list DMZ_access_in extended deny ip any any
access-list outside_access_in extended deny ip any any
access-list FTP_IN extended permit tcp any object ftp_server eq ftp
nat (DMZ,outside) source dynamic any interface
nat (inside,outside) source dynamic any interface
nat (inside,DMZ) source static any any
!
object network obj_any
nat (inside,outside) dynamic interface
object network ftp_server
nat (inside,outside) static interface service tcp ftp ftp
access-group inside_access_in in interface inside
access-group FTP_IN in interface outside
access-group DMZ_access_in in interface DMZ
Lookinf for support from community
Solved! Go to Solution.
02-02-2012 03:16 PM
Can you try the the packet tracer on the CLI so we can see the full output?
The packet is hitting the implicit rule because it's not being NAT'ed.
packet in outside tcp 8.8.8.8 1025 83.x.x.x 21
Also, is the FTP active or passive? Client outside or inside?
Felipe.
02-02-2012 03:29 PM
Not nate'd .... Why my Nat statment is wrong ?? if wrong what is the correct one ?
I am using ftp connection from outside and using the filezila ftp server and xp ftp client from outside for connection
below is the CLI packet tracer info
packet in outside tcp 8.8.8.8 1025 83.x.x.x 21
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 83.x.x.x 255.255.255.255 identity
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
02-02-2012 03:56 PM
Why do you have:
nat (inside,outside) source dynamic any interface
If you have:
object network obj_any
nat (any,outside) dynamic interface
Can you remove this NAT and try the packet tracer again?
no nat (inside,outside) source dynamic any interface
packet in outside tcp 8.8.8.8 1025 83.x.x.x 21
When using NAT and FTP there are some things to take in consideration.
FTP uses port 21 to establish the connection but uses a random port for data.
Need to find out if it is passive or active. Also port forwarding for a range of ports might be needed.
A one-to-one NAT is preferred.
Felipe.
02-02-2012 04:09 PM
Ok understood
if i remove
nat (inside,outside) source dynamic any interface
would it stop all the hosts "inside" to use internet using PAT ( on outside interface) ??
I understand that for data Ftp use different port but we cannot have one to one nat as due to non availaibility of global Ip addresses ( only interface ip address) can be used for incoming traffic .
regards
02-02-2012 04:25 PM
ok i remove that statment below is the packet trace output
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 83.x.x.x 255.255.255.255 identity
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
02-02-2012 04:50 PM
Now that is weird, I tried it and it worked.
Just in case try - clear xlate
And can you share again the output of - show run nat
02-02-2012 05:09 PM
I tried clear xlate
and tried to ftp from outside still same error i cant ftp from outside
below is the sh run nat output
nat (inside,DMZ) source static any any
nat (DMZ,outside) source dynamic any interface
!
object network obj_any
nat (any,outside) dynamic interface
object network ftpserver
nat (inside,outside) static interface service tcp ftp ftp
kindly advise
02-02-2012 05:28 PM
Looks like this line is also conflicting with the FTP NAT.
nat (DMZ,outside) source dynamic any interface
Try replacing it with this:
no nat (DMZ,outside) source dynamic any interface
object network any-dmz
subnet 0 0
nat (DMZ,outside) dynamic interface
Make this change, clear xlates and run the packet trace again.
Felipe.
02-02-2012 05:52 PM
Thanks Felipe
Problem has been resolved and now i can access the Ftp site
8.4 really sucks
any way thanks everyone for helping specially felipe
regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide