cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3040
Views
0
Helpful
23
Replies

PAT on PPPOE ( DHCP) interface

imranbhatti151
Level 1
Level 1

Hi all,

i am first time using the new ASA IOS ( 8.4) and frankly i am in trouble

I have one PPPOE interface ( Ip assigned from DHCP) i want to use PAT on that interface and divert FTP traffic to the host inside

Can any one please help me in resolving this issue

I am using below command but unfortuntely it is not working

object network ftp_server

nat (inside,outside) static interface service tcp 21 21

access-list FTP_IN extended permit tcp any object  ftp_server eq 21

access-group FTP_IN in interface outside

Sh xlate

TCP PAT from inside:172.16.93.12 21-21 to outside:83.x.x.x 21-21

    flags sr idle 0:07:14 timeout 0:00:00

Below is the  complete config

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 1

72.16.93.0 255.255.255.0 10.175.111.0 255.255.255.0

access-list inside_access_in extended permit ip 172.16.93.0 255.255.255.0 any

access-list DMZ_access_in extended permit ip 10.175.111.0 255.255.255.0 any

access-list DMZ_access_in extended permit icmp any any

access-list DMZ_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any

172.16.93.0 255.255.255.0

access-list DMZ_access_in extended deny ip any any

access-list outside_access_in extended deny ip any any

access-list FTP_IN extended permit tcp any object ftp_server eq ftp

nat (DMZ,outside) source dynamic any interface

nat (inside,outside) source dynamic any interface

nat (inside,DMZ) source static any any

!

object network obj_any

nat (inside,outside) dynamic interface

object network ftp_server

nat (inside,outside) static interface service tcp ftp ftp

access-group inside_access_in in interface inside

access-group FTP_IN in interface outside

access-group DMZ_access_in in interface DMZ

Lookinf for support from community

23 Replies 23

lcambron
Level 3
Level 3

Can you try the the packet tracer on the CLI so we can see the full output?

The packet is hitting the implicit rule because it's not being NAT'ed.

packet in outside tcp 8.8.8.8 1025 83.x.x.x 21

Also, is the FTP active or passive? Client outside or inside?

Felipe.

Not nate'd ....  Why my Nat statment is wrong ??  if wrong what is the correct one ?

I am using ftp connection from outside and using the filezila ftp server and xp ftp client from outside for connection

below is the CLI packet tracer info

packet in outside tcp 8.8.8.8 1025 83.x.x.x 21

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   83.x.x.x    255.255.255.255 identity

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

lcambron
Level 3
Level 3

Why do you have:

nat (inside,outside) source dynamic any interface

If you have:

object network obj_any

nat (any,outside) dynamic interface

Can you remove this NAT and try the packet tracer again?

no nat (inside,outside) source dynamic any interface

packet in outside tcp 8.8.8.8 1025 83.x.x.x 21

When using NAT and FTP there are some things to take in consideration.

FTP uses port 21 to establish the connection but uses a random port for data.

Need to find out if it is passive or active. Also port forwarding for a range of ports might be needed.

A one-to-one NAT is preferred.

Felipe.

Ok understood

if i remove 

nat (inside,outside) source dynamic any interface

would it stop all the hosts "inside"  to use internet using PAT ( on outside interface) ??

I understand that for data Ftp use different port but we cannot have one to one nat as due to non availaibility of global Ip addresses ( only interface ip address) can be used for incoming traffic .

regards

ok i remove that statment below is the packet trace output

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   83.x.x.x    255.255.255.255 identity

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule


Now that is weird, I tried it and it worked.

Just in case try - clear xlate

And can you share again the output of - show run nat

I tried clear xlate

and tried to ftp from outside still same error i cant ftp from outside

below is the sh run nat output

nat (inside,DMZ) source static any any

nat (DMZ,outside) source dynamic any interface

!

object network obj_any

nat (any,outside) dynamic interface

object network ftpserver

nat (inside,outside) static interface service tcp ftp ftp

kindly advise

lcambron
Level 3
Level 3

Looks like this line is also conflicting with the FTP NAT.

 

nat (DMZ,outside) source dynamic any interface

Try replacing it with this:

no nat (DMZ,outside) source dynamic any interface

object network any-dmz

subnet 0 0

nat (DMZ,outside) dynamic interface

Make this change, clear xlates and run the packet trace again.

Felipe.

Thanks Felipe

Problem has been resolved and now i can access the Ftp site

8.4 really sucks

any way thanks everyone for helping specially felipe

regards

Review Cisco Networking for a $25 gift card