The setup is as in the attached picture.
Pix config is as follows:
access-list DMZ extended permit icmp host Pubsrv any
access-list ACLIN extended permit tcp any host 172.31.0.5 eq www
access-list ACLIN extended permit tcp any host 172.31.0.5 eq ftp
access-list ACLIN extended permit tcp any host 172.31.0.9 eq ftp <<< Allow ftp to Public Server
access-list ACLIN extended permit icmp host Inetsrv host 172.31.0.11
access-group ACLIN in interface outside
access-group DMZ in interface dmz
nat (inside) 1 10.0.0.0 255.255.255.0
global (outside) 1 172.31.0.10-172.31.0.254
global (dmz) 1 192.168.1.10-192.168.1.254
static (dmz,outside) 172.31.0.9 Pubsrv netmask 255.255.255.255 <<Public Server static NAT
static (inside,outside) 172.31.0.5 Insrv netmask 255.255.255.255 <<Internal Server static NAT
static (inside,outside) 172.31.0.11 Wstation netmask 255.255.255.255
static (inside,dmz) 192.168.1.11 Wstation netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 172.31.0.2 1
Pix interfaces are configured with IPs shown in figure and sec levels are in:100 - dmz:50 - out:0
I go to the "Internal Server" and do an: ftp 172.31.0.9 which is the outside IP of the "Public Server" intstead of doing: ftp 192.168.1.2 and connect to it directly, but it does not work and I cannot understand why.
As far as I understand the following steps should happen:
1)Internal Server (IP 10.0.0.11) sends first ftp packet to Public Server (IP 172.31.0.9)
2)pix receives the packet on the inside interface and makes static NAT for the src IP from 10.0.0.11 to 172.31.0.5 and send the pkt to outside interface (based on routing table)
3)pix sees dest IP address 172.31.0.9 so it takes packet again in from the outside interface and performs static NAT for the dst IP from 172.31.0.9 to 192.168.1.2 and sends packet out to Public server at DMZ.
4)Public server responds and there should be no problem for the response to go back as the session is stored in the Session Table.
However this does not happen and I am very confused....
If I understand your situation correctly try adding the following command in your pix (not sure what version you are running):
alias(inside) 172.31.0.9 192.168.1.2 255.255.255.255
Hope this helps.
the config I put above is the full config minus the interface configs.(which are correct). look at the attached picture to see the topology.
my question is this. when I am on an inside host (Internal Server or Workstation) and I make ftp 192.168.1.2 (dmz real IP) it works. when I make ftp 172.31.0.9 (dmz static translated IP) it does not.
in other words, I try to ftp from inside to dmz server via the dmz server outside IP. Is it clear now?