cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
727
Views
0
Helpful
2
Replies

PAT/NAT overload configuration for active/passive FTP vs http/htps

Jesserony
Level 1
Level 1

Good Morning,

I have two servers, one for http/https (LoadBalancerHost) and one for FTP (WizFTPHost) and am attempting to NAT them to the same public IP address, on an ASA-5516X.

The following NAT configuration works fine, i can access both hosts on their respective ports:

nat (screened,outside) source static LoadBalancerHost Load_Balancer_Outside_IP service http http
nat (screened,outside) source static LoadBalancerHost Load_Balancer_Outside_IP service https https
nat (screened,outside) source static WizFTPHost Load_Balancer_Outside_IP

However, what should my NAT config look if i want to be more precise, instead of that Any catch-all at the end?

I tried the following and it didnt work:

object service ftp
service tcp source eq ftp destination eq ftp

object service ftp-data
service tcp destination eq ftp-data

object service WizzFTP
service tcp source range 50000 54000 destination range 50000 54000


nat (screened,outside) source static LoadBalancerHost Load_Balancer_Outside_IP service http http
nat (screened,outside) source static LoadBalancerHost Load_Balancer_Outside_IP service https https
nat (screened,outside) source static WizFTPHost Load_Balancer_Outside_IP service WizzFTP WizzFTP
nat (screened,outside) source static WizFTPHost Load_Balancer_Outside_IP service ftp ftp
nat (screened,outside) source static WizFTPHost Load_Balancer_Outside_IP service ftp-data ftp-data

And this doesnt work for some reason. Do you guys have any advice on how to achieve this? With the above config, I ran Packet Tracer for port 21 and it says denied. However if i put it back to the original way it says it is allowed, and works in real life.

Note when looking at the results below: I am testing with a PC on the "data" subnet. However i do know the host on the screened subnet "LoadBalancerHost" is currently in production and definitely working for outside http/https access.


This is with the config that isnt working:


Result of the command: "packet-tracer input outside tcp 72.43.4.82 21 192.168.190.239 21"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.190.239 using egress ifc data

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in_1 in interface outside
access-list outside_access_in_1 extended permit tcp any object WizFTPHost object-group WizFTP
object-group service WizFTP tcp
description: Opens ports for PASV anf ACTV FTP
port-object eq ftp
port-object eq ftp-data
port-object range 50000 54000
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect ftp
service-policy global-policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect waas
service-policy global-policy global
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (data,outside) source static WizFTPHost Load_Balancer_Outside_IP service ftp ftp
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: data
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

 


------------------------------------------------------------------
Back to original way, "Any" NAT for WizFTPhost:

Result of the command: "packet-tracer input data tcp 72.43.4.82 21 192.168.190.239 21"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.190.239 using egress ifc data

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group data_access_in in interface data
access-list data_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect ftp
service-policy global-policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map global-class
match default-inspection-traffic
policy-map global-policy
class global-class
inspect waas
service-policy global-policy global
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 16551149, packet dispatched to next module

Phase: 12
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.190.239 using egress ifc data

Phase: 13
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 908d.6e8d.557f hits 62227 reference 10

Result:
input-interface: data
input-status: up
input-line-status: up
output-interface: data
output-status: up
output-line-status: up
Action: allow

 

2 Replies 2

this never work 

object service ftp
service tcp source eq ftp destination eq ftp
!
nat (screened,outside) source static WizFTPHost Load_Balancer_Outside_IP service ftp ftp

you config object-service ftp with source and destination but you use this object-service as source->source 

so you first NAT config is correct. 

if you need to fine tune the NAT, can you more elaborate what you need exactly ??

Peter Koltl
Level 7
Level 7

object service ftp
  service tcp source eq ftp destination eq ftp

object service ftp-data
  service tcp destination eq ftp-data

object service WizzFTP
  service tcp source range 50000 54000 destination range 50000 54000

Explanation: the incoming (outside -> screened) packet has high random src port and FTP dst port. So if you had had nat (outside,screened) then you should have written  service tcp destination eq ftp 

Since you chose nat (screened,outside) , you have to write service tcp source eq ftp    (matching directions)

I would have suggested nat (outside,screened)  as it reflects the real connection initiation logic.

ftp-data should not be NAT'ed, it is handled by ASA protocol inspection automatically.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: