basic Nat rule (newbie)

Unanswered Question
May 23rd, 2008

Hi all,

I am a newbie for cisco pics and I wanted to add abasic NAT rule to my firewall to allow and redirect FTP requests from internet to one of my public adresses to an internal computer

using the web interface I added one nat rule:

static (outside,inside) netmask 0 0

and allow incoming ftp requests:

access-list outside_access_in permit tcp host eq ftp host eq ftp

proxy arp is enabled

but when trying to connect from outside to is denied

here is what I got in the log:

106023:Deny tcp src dst inside:ftpexternal/21 by access-group "outside_access_in"

ftpexternal stands for

Look's like my rule is not correct .

Can any one help me on the matter ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jigsaw2026 Fri, 05/23/2008 - 02:59

Looks to me like your ACL is wrong - is should be:

access-list outside_access_in permit tcp host host eq ftp

That's assuming that you only want access from that one external host - you can have any host or network in there.

You don't need an ACL from to 194.250 (in any case your ACL was referencing

paul.lahitte Fri, 05/23/2008 - 03:53


I just want any network being able to connect to using ftp .

jigsaw2026 Fri, 05/23/2008 - 04:08

So then:

access-list outside_access_in permit tcp any host eq ftp

jigsaw2026 Fri, 05/23/2008 - 04:11

Also I think you have the static rule the wrong way round:

static (inside,outside) netmask

At least that is how we do it here.


This Discussion