01-31-2012 03:55 AM - edited 03-11-2019 03:21 PM
Hi all,
i am first time using the new ASA IOS ( 8.4) and frankly i am in trouble
I have one PPPOE interface ( Ip assigned from DHCP) i want to use PAT on that interface and divert FTP traffic to the host inside
Can any one please help me in resolving this issue
I am using below command but unfortuntely it is not working
object network ftp_server
nat (inside,outside) static interface service tcp 21 21
access-list FTP_IN extended permit tcp any object ftp_server eq 21
access-group FTP_IN in interface outside
Sh xlate
TCP PAT from inside:172.16.93.12 21-21 to outside:83.x.x.x 21-21
flags sr idle 0:07:14 timeout 0:00:00
Below is the complete config
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 1
72.16.93.0 255.255.255.0 10.175.111.0 255.255.255.0
access-list inside_access_in extended permit ip 172.16.93.0 255.255.255.0 any
access-list DMZ_access_in extended permit ip 10.175.111.0 255.255.255.0 any
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any
172.16.93.0 255.255.255.0
access-list DMZ_access_in extended deny ip any any
access-list outside_access_in extended deny ip any any
access-list FTP_IN extended permit tcp any object ftp_server eq ftp
nat (DMZ,outside) source dynamic any interface
nat (inside,outside) source dynamic any interface
nat (inside,DMZ) source static any any
!
object network obj_any
nat (inside,outside) dynamic interface
object network ftp_server
nat (inside,outside) static interface service tcp ftp ftp
access-group inside_access_in in interface inside
access-group FTP_IN in interface outside
access-group DMZ_access_in in interface DMZ
Lookinf for support from community
Solved! Go to Solution.
02-02-2012 05:28 PM
Looks like this line is also conflicting with the FTP NAT.
nat (DMZ,outside) source dynamic any interface
Try replacing it with this:
no nat (DMZ,outside) source dynamic any interface
object network any-dmz
subnet 0 0
nat (DMZ,outside) dynamic interface
Make this change, clear xlates and run the packet trace again.
Felipe.
01-31-2012 05:49 AM
NAT-Control is removed in 8.3|8.4 versions. Use these commands
If I understand your post correctly, you want to do a dynamic PAT of all hosts on the inside interface when they go out the outside. Use below commands.
object network any-0
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
or
nat (inside,outside) after-auto source dynamic any interface
Hope this helps.
Regards,
Anton
01-31-2012 06:05 AM
No
I want that someone come from outside on outside interface ip and it should directed to the inside host ( 172.16.93.12)
( for FTP) As we do not have pool for the Global Ip addresses.
01-31-2012 06:44 AM
Hey Imram,
Follow these steps.
Step 1: Create a new object group for you web server.
(config)# object network ftpserver
Step 2: Add the IP of the web server to the network group.
(config-network-object)# host 172.16.93.12
Step 3: Forward the port via the NAT command.
(config-network-object)# nat (inside,dmz) static interface service tcp ftp ftp
Step 4: Exit back to the root and add the access list
(config)# access-list outside_access_in permit tcp any object ftpserver eq ftp
Hope it helps.
Best regards,
Anton
01-31-2012 06:55 AM
Dear Anton
Thanks for your reply,
I have done same setting but i am unable to connect from outside
i got hits in the implicit deny in the outside interface but no hit on the above access-list ( allowing for ftp)
Any other possible reasons ??
01-31-2012 08:04 AM
Its because of this.
access-list outside_access_in extended deny ip any any
you need to allow ftp
access-list ourside_access_in permit tcp any object ftpserver eq ftp
Hope this helps.
Regards,
Anton
01-31-2012 09:15 AM
Dear Anton ,
Thanks for your reply.
I have already added this acl
but hit count is increasing on the deny statment not on the allow statment.
very surprise to me ?
Not sure what exactly be the resaon.
01-31-2012 09:30 AM
Hi Imran,
Can you share your full configuration.
Anton
01-31-2012 03:59 PM
Can you share the output of:
show run access-group
show access-list FTP_IN
show run nat
You said you don't see hit counts on the ACL.
Seems like you have these two ACLs;
access-list outside_access_in extended deny ip any any
access-list FTP_IN extended permit tcp any object ftp_server eq ftp
If the first one is applied inbound to the outside interface, the second one is not applied.
Captures and packet-tracer migth help.
access-list capture permit tcp any ftp_public_IP eq ftp
capture test access-list capture interface outside
show cap test
packet in outside tcp 8.8.8.8 1025 ftp_public_IP 21
Felipe.
01-31-2012 05:59 PM
Hello,
On the show xlate we can see the translation being built.
On the access-groups you have the following:
access-group FTP_IN in interface outside
access-list FTP_IN extended permit tcp any object ftp_server eq ftp
So the ACL is only allowing connections to the FTP server on port 21 witch is what you are looking for.
If you do a ASP capture you will see if the ASA is dropping the packets witch you have this configured like you posted on this post, it should not be happening.
here is the capture you need to make and then attempt a connection:
capture asp type asp-drop all
Try to connect to the FTP server from the outside and finally provide us the following:
Show cap asp | include x.x.x.x ( Ip address of the host you made the connection from)
Regards,
Julio
01-31-2012 10:09 PM
HI ALL,
Below is the detail config and the packet trace
It seems some NAT error but i am not sure why the nat error ?
Looking forward for your support
: Saved
:
ASA Version 8.4(2)
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 12
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.93.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISP
ip address pppoe setroute
!
interface Vlan12
nameif DMZ
security-level 50
ip address 10.175.111.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network uaelan
subnet 172.16.93.0 255.255.255.0
object network dmz_net
subnet 10.175.111.0 255.255.255.0
object network ftpserver
host 172.16.93.12
object-group network dmz
network-object 10.175.111.0 255.255.255.0
object-group network inside
network-object 172.16.93.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 172.16.93.0 255.255.255.0 10.175.111.0 255.255.255.0
access-list inside_access_in extended permit ip 172.16.93.0 255.255.255.0 any
access-list DMZ_access_in extended permit ip 10.175.111.0 255.255.255.0 any
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any 172.16.93.0 255.255.255.0
access-list DMZ_access_in extended deny ip any any
access-list outside_access_in extended permit tcp any object ftpserver eq ftp
access-list global_access extended permit ip any any
nat (DMZ,outside) source dynamic any interface
nat (inside,outside) source dynamic any interface
nat (inside,DMZ) source static any any
!
object network obj_any
nat (inside,outside) dynamic interface
object network ftpserver
nat (inside,outside) static interface service tcp ftp ftp
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
access-group global_access global
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
vpdn group ISP request dialout pppoe
vpdn group ISP localname ASA842
vpdn group ISP ppp authentication pap
vpdn username ASA842 password ***** store-local
dhcpd auto_config outside
!
dhcpd address 172.16.93.101-172.16.93.250 inside
dhcpd dns 172.16.93.12 interface inside
dhcpd lease 691200 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
02-01-2012 06:30 AM
Hello,
Packet-tracer should be pointing to the outside interface of your asa.
Do it again!
02-01-2012 06:50 AM
Thanks for reply
It shows some implicit deny rule error
sh accesss-list outside_access_in
access-list outside_access_in; 2 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any object ftpserver eq
ftp log notifications interval 300 (hitcnt=0) 0x33d02b01
access-list outside_access_in line 1 extended permit tcp any host 172.16.93.12
eq ftp log notifications interval 300 (hitcnt=1) 0x33d02b01
access-list outside_access_in line 2 extended deny ip any any log informational
interval 300 (hitcnt=106) 0x2c1c6a65
sh run access-group
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
Attached is the snapsohot
02-01-2012 09:33 AM
Hello Imra,
access-list outside_access_in line 1 extended permit tcp any object ftpserver eq
ftp log notifications interval 300 (hitcnt=0) 0x33d02b01
Please do the following:
no access-list outside_access_in line 1 extended permit tcp any object ftpserver eq ftp
access-list outside_access_in line 1 permit tcp any host 172.16.93.12 eq 21
Then give it a try!
Regards,
Julio
02-02-2012 02:00 PM
Dear julio
thanks for your reply
still the same issue,
not able to connect ftp rom outiside
Any thing is wrong , why packet stuck on implicit denty policy of outside interface
what should i do now ?
now below is the access-list ( Outside_access_in )
access-list outside_access_in; 1 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp any host 172.16.93.12 e
q ftp (hitcnt=0) 0xbd7b5852
sh run access-group
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
and sh nat details
Manual NAT Policies (Section 1)
1 (DMZ) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 83.X.X.X/32
2 (inside) to (outside) source dynamic any interface
translate_hits = 320653, untranslate_hits = 51063
Source - Origin: 0.0.0.0/0, Translated: 83.X.X.X/32
3 (inside) to (DMZ) source static any any
translate_hits = 20117, untranslate_hits = 19926
Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static ftpserver interface service tcp ftp ftp
translate_hits = 0, untranslate_hits = 0
Source - Origin: 172.16.93.12/32, Translated: 83.X.X.X/32
Service - Protocol: tcp Real: ftp Mapped: ftp
2 (any) to (outside) source dynamic obj_any interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 83.X.X.X/32
sh run nat
nat (DMZ,outside) source dynamic any interface
nat (inside,outside) source dynamic any interface
nat (inside,DMZ) source static any any
!
object network obj_any
nat (any,outside) dynamic interface
object network ftpserver
nat (inside,outside) static interface service tcp ftp ftp
sh xlate | incl 172.16.93.12
TCP PAT from inside:172.16.93.12 21-21 to outside:83.x.x.x 21-21
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide