Static Nat to FTP server-ASA5505

Unanswered Question
Dec 11th, 2009
User Badges:

Hi All,

Have an ASA 5505 with 2 public IP's, multiple site to site VPNs.

First issue: Trying to set up a static nat from public to private for an FTP server. I thought i had the statements correct, but attemting to connect via ftp to the internal ftp server just times out.  A Packet trace shows it fails on the global NAT statement for the outside_in ACL I think, but am unsure how to fix that and do not want to mess up the Nat for the tunnels.

Second issue: Will setting up the Cisco clientless SSL vpn on the box interfere with any of the site to site tunnels? I dont think it would but want to make sure.

Config attached, all replies appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Fri, 12/11/2009 - 07:24
User Badges:
  • Green, 3000 points or more

You need...

access-list outside_access_in extended permit tcp any host eq ftp

jamesbruce Sat, 12/12/2009 - 07:08
User Badges:

Thanks, I tried that command and it still does't work.

I can ping the internal host from the ASA CLI, so the internal host is live.

Even tried adding a static net command after the comand you suggested with no results.

Removed both commands for now.

I still think the gloabl NAT statements are interfering with this , just not sure how. 

I turned on logging after the command you suggested and do not even see in the log my external ip even trying to connect via ftp, no errors, nothing.


busterswt Sat, 12/12/2009 - 16:39
User Badges:
  • Bronze, 100 points or more

I my experience, using the same IP (ie. interface ip) for Static NAT and NAT overload or PAT causes xlate issues like you're seeing. If you have another public IP for use with the static NAT trying using that and see if the issue is resolved.

Hopefully this line is just for debug purposes and not a permanent ACL:

access-list outside_access_in extended permit ip any any log debugging

All incoming traffic to the outside interface will be subject to the outside_access_in ACL, including VPN traffic. With VPN traffic though you can enable 'sysopt connection permit-vpn' to ignore all ACLs. Your packet-tracer results sound normal.
Configuring SSL VPN shouldn't affect your site-to-site tunnels at all. You can implement SSL VPN on an existing group-policy and tunnel-group used for IPSec Client VPN if you wish.
Hope that helps.


This Discussion