FTP Proxy - NAT v Public IP

pauldurnien · ‎03-07-2011

Trying to look at confiuring our 3845 so that I have a unique public IP on the interface of our FTP server.

Currently we are 'ip nat inside' on the inside interface so everything will be NATed to the WAN interface. Clearly If I configure a public IP on our FTP proxy this won't work. But it's not clear how I can - nat * but <this ip>.

Alternatively I will consider other options that maintain NATing.

However NATing seems to introduce several problems, particualry because we ned to do both active and passive FTP.

a little cryptic but ...

Internet <> Router/NAT <> ASA <> External NIC <server> Internal NIC <> Internal Network.

Any advice would be helpful.

skothiya · ‎03-13-2011

What is the access-list that you are using to define NAT ?

pauldurnien · ‎03-14-2011

Here is the relevent entries in the config. You can see that NAT is on for both inside and outside interfaces.

interface GigabitEthernet0/0

description Inside interface

ip address 172.18.0.3 255.255.255.0

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip policy route-map SECONDARY

duplex full

speed auto

!

interface GigabitEthernet0/1

ip address 12.x.x.130 255.255.255.240

ip access-group 101 in

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

route-map SECONDARY permit 10

match ip address 150

set ip next-hop 12.x.x.129

access-list 101 permit tcp any host 12.x.x.135 eq ftp-data

access-list 101 permit tcp any host 12.x.x.135 eq ftp

access-list 150 permit ip host 172.18.0.x any

ip nat inside source static 172.18.0.145 12.x.x.135

Ryan Douglas · ‎03-14-2011

Why don't you no-nat it? Either adjust NAT AcL to deny, or create new acl and use it deny route map clause

Sent from Cisco Technical Support iPhone App