basic Nat rule (newbie)

Unanswered Question
May 23rd, 2008

Hi all,

I am a newbie for cisco pics and I wanted to add abasic NAT rule to my firewall to allow and redirect FTP requests from internet to one of my public adresses

194.250.0.50 to an internal computer 190.100.100.102.

using the web interface I added one nat rule:

static (outside,inside) 190.100.100.102 194.250.0.50 netmask 255.255.255.255 0 0

and allow incoming ftp requests:

access-list outside_access_in permit tcp host 190.100.100.102 eq ftp host 194.50.0.0 eq ftp


proxy arp is enabled

but when trying to connect from outside to 194.250.0.50 is denied

here is what I got in the log:

106023:Deny tcp src 195.115.153.23x/xxxx dst inside:ftpexternal/21 by access-group "outside_access_in"


ftpexternal stands for 194.250.0.50

Look's like my rule is not correct .

Can any one help me on the matter ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jigsaw2026 Fri, 05/23/2008 - 02:59

Looks to me like your ACL is wrong - is should be:


access-list outside_access_in permit tcp host 195.115.153.23x host 194.250.0.50 eq ftp


That's assuming that you only want access from that one external host - you can have any host or network in there.


You don't need an ACL from 190.100.100.102 to 194.250 (in any case your ACL was referencing 194.50.0.0).


paul.lahitte Fri, 05/23/2008 - 03:53


Thank's

I just want any network being able to connect to 194.250.0.50 using ftp .

jigsaw2026 Fri, 05/23/2008 - 04:08

So then:


access-list outside_access_in permit tcp any host 194.250.0.50 eq ftp

jigsaw2026 Fri, 05/23/2008 - 04:11

Also I think you have the static rule the wrong way round:


static (inside,outside) 194.250.0.50 190.100.100.102 netmask 255.255.255.255


At least that is how we do it here.

Actions

This Discussion