Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1742
Views
15
Helpful
9
Replies

Redirect ftp traffic on port 3232 to a specific ftp host listening on port 21

Go to solution
Hugo Rosado
Level 1
Level 1

‎11-12-2015 10:46 AM - edited ‎03-11-2019 11:52 PM

Hi Guys,

Im trying to forward some FTP traffic that gets on my "outside" interface called VodafoneTrunk on port 3232 and forward that traffic to a ftp host that is listening on port 21, I have checked many blogs, forums and read many information but still cannot get this to work.

Can anyone have a look? Im using an asa with version 9.1(5), running config on attach 

Many Thanks

H

Labels:
Preview file
33 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rishabh Seth
Level 7
Level 7
In response to Hugo Rosado

‎11-17-2015 10:46 AM

You might be hitting following bug: 

https://tools.cisco.com/bugsearch/bug/CSCub53088

you can try the work around mentioned in the defect also from the release notes of 9.2.x the fix is integrated in 9.2.1 release.

hope it helps.

Thanks,

R.Seth

View solution in original post

9 Replies 9

Go to solution
Shivapramod M
Level 1
Level 1

‎11-12-2015 08:17 PM

Hi Hugo,

It looks like the NAT configuration on the ASA is incorrect. I belive you would like to forward the traffic from outside to inside. You are using a mapped port of 3232 and it must get tranlsated to its real port 21. If my understanding about the issue is correct then you have a FTP server behind the ASA and you are trying to access the server using a static NAT. Please correct me if my understanding about the issue wrong.

You can configure a correct NAT to achive this.

nat (production,vodafone) source static real_IP map_IP service real_port mapped_port

Here real port will be 21 and mapped port will be 3232, real_IP will be private IP server which is in prodcution. We can use the interface instead of the mapp_IP also.

Hope this helps,

Thanks,

Shivapramod M

Go to solution
Hugo Rosado
Level 1
Level 1
In response to Shivapramod M

‎11-13-2015 01:59 AM

Hi Shivapramod,

You are correct on the way to look at this issue, I have applied the commands you have recommended but still cannot access my FTP server from outside, I have also run a show xlate and here are the results:

NAT from VodafoneTrunk:0.0.0.0/0 to Design:0.0.0.0/0

    flags sIT idle 11:17:12 timeout 0:00:00

NAT from VodafoneTrunk:0.0.0.0/0 to Guest:0.0.0.0/0

    flags sIT idle 11:17:12 timeout 0:00:00

NAT from VodafoneTrunk:0.0.0.0/0 to Telephony:0.0.0.0/0

    flags sIT idle 11:17:12 timeout 0:00:00

NAT from VodafoneTrunk:0.0.0.0/0 to Production:0.0.0.0/0

    flags sIT idle 11:17:12 timeout 0:00:00

TCP PAT from Production:192.168.10.9 21-21 to VodafoneTrunk:External_Ip 21-21

    flags srT idle 0:01:35 timeout 0:00:00

TCP PAT from VodafoneTrunk:0.0.0.0/0 21-21 to Production:0.0.0.0/0 21-21

    flags srIT idle 0:01:35 timeout 0:00:00

From what I can see all traffic on port 21 on the Vodafonetrunk interface will be forward to the Production Vlan but not to a specific host and that is what I have specified on the nat rule:

nat (Production,Vodafonetrunk)source static Synol0gy interface service Ftp Ftp

Synol0gy is a network object with an ip address on 192.168.10.9

Ftp is a service Object with port 21 configured.

Thanks in advanced.

0 Helpful

Go to solution
Shivapramod M
Level 1
Level 1
In response to Hugo Rosado

‎11-13-2015 02:08 AM

Hi Hugo,

I belive the traffic is coming to the ASA with the port 3232 as per your explaination. If that is the case then you should have the NAT. Please correct me if I am wrong. 

nat (Production,Vodafonetrunk)source static Synol0gy interface service Ftp 3232

where 3232 is nothing but a service object which you have already created as per the show tech.

object service 3232

service tcp source eq 3232

If this does not work then you can take packet tracer on the ASA

packet-tracer interface vodafonetrunk tcp <sourceIP> 12345 <vodafone interface IP> 3232 det

Thanks,

Shivapramod M

Go to solution
Hugo Rosado
Level 1
Level 1
In response to Shivapramod M

‎11-13-2015 02:31 AM

Please fin in attach the packet tracer result, also here's a copy of the current show xalte:

nat (Production,Vodafonetrunk)source static Synol0gy interface service Ftp Ftp

NAT from VodafoneTrunk:0.0.0.0/0 to Design:0.0.0.0/0

    flags sIT idle 11:48:50 timeout 0:00:00

NAT from VodafoneTrunk:0.0.0.0/0 to Guest:0.0.0.0/0

    flags sIT idle 11:48:50 timeout 0:00:00

NAT from VodafoneTrunk:0.0.0.0/0 to Telephony:0.0.0.0/0

    flags sIT idle 11:48:50 timeout 0:00:00

NAT from VodafoneTrunk:0.0.0.0/0 to Production:0.0.0.0/0

    flags sIT idle 11:48:50 timeout 0:00:00

TCP PAT from Production:192.168.10.9 21-21 to VodafoneTrunk:External_Ip 3232-3232

    flags srT idle 0:01:03 timeout 0:00:00

TCP PAT from VodafoneTrunk:0.0.0.0/0 0 to Production:0.0.0.0/0 21-21

    flags srIT idle 0:01:03 timeout 0:00:00

Preview file
64 KB
Preview file
33 KB
0 Helpful

Go to solution
Hugo Rosado
Level 1
Level 1
In response to Hugo Rosado

‎11-13-2015 02:45 AM

I have now created a NAT rulle that allows the ftp traffic on port 3232 and it forwards it to my FTP server, on packet tracer I can see the traffic goes trough but if I try to establish a ftp session from outside on port 3232 to my FTP on port 21 it does not work, do I need to clear the xlate or even a reboot?

It doesn't make sense

Preview file
54 KB
0 Helpful

Go to solution
Shivapramod M
Level 1
Level 1
In response to Hugo Rosado

‎11-13-2015 04:42 AM

Hi Hugo,

Now we need to take the capture on ingress interface which is vodafone and on the egress interface which is production to see the packet flow.

1. Set the captures on ASA

cap capin interface vodafone match tcp any host <interface IP> eq 3232

cap capout interface production match tcp any host  <real IP> eq 21

2. Initiate the traffic and wait till it fails.

3. Take the output

show cap capin

show cap capout

4. You can also see if the ASA generated any log for this traffic.

Thanks,

Shivapramod M

0 Helpful

Go to solution
Hugo Rosado
Level 1
Level 1
In response to Shivapramod M

‎11-17-2015 09:59 AM

Hi,

On the past few days I have decided to try this out only with FTP to FTP, I have captured the packets and this is the outcome:

287: 17:37:00.109064       802.1Q vlan#100 P0 95.95.196.179.59829 > External_IP.21: S 3966589209:3966589209(0) win 5840 <mss 1460,sackOK,timestamp 61180619 0,nop,wscale 5>

288: 17:37:03.100702       802.1Q vlan#100 P0 95.95.196.179.59829 >External_IP.21: S 3966589209:3966589209(0) win 5840 <mss 1460,sackOK,timestamp 61180919 0,nop,wscale 5>

I can see the traffic coming in, when I do a packet tracer it tells me that the traffic should go trough but it still wont.

Could it be a bug?

0 Helpful

Go to solution
Hugo Rosado
Level 1
Level 1
In response to Hugo Rosado

‎11-17-2015 10:22 AM

There is a bug with 9.1:

https://community.spiceworks.com/topic/504094-asa-version-9-1-1-with-ftp

0 Helpful

Go to solution
Rishabh Seth
Level 7
Level 7
In response to Hugo Rosado

‎11-17-2015 10:46 AM

You might be hitting following bug: 

https://tools.cisco.com/bugsearch/bug/CSCub53088

you can try the work around mentioned in the defect also from the release notes of 9.2.x the fix is integrated in 9.2.1 release.

hope it helps.

Thanks,

R.Seth

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card