Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1454
Views
0
Helpful
3
Replies

Static Nat to FTP server-ASA5505

jamesbruce
Level 1
Level 1

‎12-11-2009 06:47 AM - edited ‎03-11-2019 09:47 AM

Hi All,

Have an ASA 5505 with 2 public IP's, multiple site to site VPNs.

First issue: Trying to set up a static nat from public to private for an FTP server. I thought i had the statements correct, but attemting to connect via ftp to the internal ftp server just times out.  A Packet trace shows it fails on the global NAT statement for the outside_in ACL I think, but am unsure how to fix that and do not want to mess up the Nat for the tunnels.

Second issue: Will setting up the Cisco clientless SSL vpn on the box interfere with any of the site to site tunnels? I dont think it would but want to make sure.

Config attached, all replies appreciated.

Labels:
36733-asa.txt.zip
0 Helpful
3 Replies 3

acomiskey
Level 10
Level 10

‎12-11-2009 07:24 AM

You need...

access-list outside_access_in extended permit tcp any host 69.28.112.254 eq ftp

0 Helpful

jamesbruce
Level 1
Level 1
In response to acomiskey

‎12-12-2009 07:08 AM

Thanks, I tried that command and it still does't work.

I can ping the internal host from the ASA CLI, so the internal host is live.

Even tried adding a static net command after the comand you suggested with no results.

Removed both commands for now.

I still think the gloabl NAT statements are interfering with this , just not sure how. 

I turned on logging after the command you suggested and do not even see in the log my external ip even trying to connect via ftp, no errors, nothing.

Strange...

0 Helpful

busterswt
Level 1
Level 1

‎12-12-2009 04:39 PM

I my experience, using the same IP (ie. interface ip) for Static NAT and NAT overload or PAT causes xlate issues like you're seeing. If you have another public IP for use with the static NAT trying using that and see if the issue is resolved.

Hopefully this line is just for debug purposes and not a permanent ACL:

access-list outside_access_in extended permit ip any any log debugging

All incoming traffic to the outside interface will be subject to the outside_access_in ACL, including VPN traffic. With VPN traffic though you can enable 'sysopt connection permit-vpn' to ignore all ACLs. Your packet-tracer results sound normal.
Configuring SSL VPN shouldn't affect your site-to-site tunnels at all. You can implement SSL VPN on an existing group-policy and tunnel-group used for IPSec Client VPN if you wish.
Hope that helps.
James

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card