Good Morning,

I have two servers, one for http/https (LoadBalancerHost) and one for FTP (WizFTPHost) and am attempting to NAT them to the same public IP address, on an ASA-5516X.

The following NAT configuration works fine, i can access both hosts on their respective ports:

nat (screened,outside) source static LoadBalancerHost Load_Balancer_Outside_IP service http http
nat (screened,outside) source static LoadBalancerHost Load_Balancer_Outside_IP service https https
nat (screened,outside) source static WizFTPHost Load_Balancer_Outside_IP

However, what should my NAT config look if i want to be more precise, instead of that Any catch-all at the end?

I tried the following and it didnt work:

object service ftp
service tcp source eq ftp destination eq ftp

object service ftp-data
service tcp destination eq ftp-data

object service WizzFTP
service tcp source range 50000 54000 destination range 50000 54000

nat (screened,outside) source static LoadBalancerHost Load_Balancer_Outside_IP service http http
nat (screened,outside) source static LoadBalancerHost Load_Balancer_Outside_IP service https https
nat (screened,outside) source static WizFTPHost Load_Balancer_Outside_IP service WizzFTP WizzFTP
nat (screened,outside) source static WizFTPHost Load_Balancer_Outside_IP service ftp ftp
nat (screened,outside) source static WizFTPHost Load_Balancer_Outside_IP service ftp-data ftp-data

And this doesnt work for some reason. Do you guys have any advice on how to achieve this? With the above config, I ran Packet Tracer for port 21 and it says denied. However if i put it back to the original way it says it is allowed, and works in real life.

Note when looking at the results below: I am testing with a PC on the "data" subnet. However i do know the host on the screened subnet "LoadBalancerHost" is currently in production and definitely working for outside http/https access.

This is with the config that isnt working:

Result of the command: "packet-tracer input outside tcp 72.43.4.82 21 192.168.190.239 21"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.190.239 using egress ifc data

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in_1 in interface outside
access-list outside_access_in_1 extended permit tcp any object WizFTPHost object-group WizFTP
object-group service WizFTP tcp
description: Opens ports for PASV anf ACTV FTP
port-object eq ftp
port-object eq ftp-data
port-object range 50000 54000
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect ftp
service-policy global-policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect waas
service-policy global-policy global
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (data,outside) source static WizFTPHost Load_Balancer_Outside_IP service ftp ftp
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: data
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

------------------------------------------------------------------
Back to original way, "Any" NAT for WizFTPhost:

Result of the command: "packet-tracer input data tcp 72.43.4.82 21 192.168.190.239 21"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.190.239 using egress ifc data

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group data_access_in in interface data
access-list data_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect ftp
service-policy global-policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect waas
service-policy global-policy global
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 16551149, packet dispatched to next module

Phase: 12
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.190.239 using egress ifc data

Phase: 13
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 908d.6e8d.557f hits 62227 reference 10

Result:
input-interface: data
input-status: up
input-line-status: up
output-interface: data
output-status: up
output-line-status: up
Action: allow