basic Nat rule (newbie)

paul.lahitte · ‎05-23-2008

Hi all,

I am a newbie for cisco pics and I wanted to add abasic NAT rule to my firewall to allow and redirect FTP requests from internet to one of my public adresses

194.250.0.50 to an internal computer 190.100.100.102.

using the web interface I added one nat rule:

static (outside,inside) 190.100.100.102 194.250.0.50 netmask 255.255.255.255 0 0

and allow incoming ftp requests:

access-list outside_access_in permit tcp host 190.100.100.102 eq ftp host 194.50.0.0 eq ftp

proxy arp is enabled

but when trying to connect from outside to 194.250.0.50 is denied

here is what I got in the log:

106023:Deny tcp src 195.115.153.23x/xxxx dst inside:ftpexternal/21 by access-group "outside_access_in"

ftpexternal stands for 194.250.0.50

Look's like my rule is not correct .

Can any one help me on the matter ?

jigsaw2026 · ‎05-23-2008

Looks to me like your ACL is wrong - is should be:

access-list outside_access_in permit tcp host 195.115.153.23x host 194.250.0.50 eq ftp

That's assuming that you only want access from that one external host - you can have any host or network in there.

You don't need an ACL from 190.100.100.102 to 194.250 (in any case your ACL was referencing 194.50.0.0).

paul.lahitte · ‎05-23-2008

Thank's

I just want any network being able to connect to 194.250.0.50 using ftp .

jigsaw2026 · ‎05-23-2008

So then:

access-list outside_access_in permit tcp any host 194.250.0.50 eq ftp

jigsaw2026 · ‎05-23-2008

Also I think you have the static rule the wrong way round:

static (inside,outside) 194.250.0.50 190.100.100.102 netmask 255.255.255.255

At least that is how we do it here.

paul.lahitte · ‎05-23-2008

thank's it is working

thank's lot again