05-25-2010 07:15 AM - edited 03-11-2019 10:50 AM
Hi,
I am struggling badly on figuring out how to port forward ftp service to one of my internal box when outside interface is using dhcp. It was very easy with earlier version of code but the new syntax of 8.3.1 is throwing me off totally. Neither there is a good example in documentation for command line and neither the ASDM configuration pushes off either.
Goal: Inbound ftp request to outside interface needs to be forwarded to 172.20.100.11 on inside host.
Can somebody help out with correct syntax? OR should I downgrade to previous version of code?
Thanks,
Sam Munzani
Solved! Go to Solution.
05-25-2010 12:39 PM
Are you sure its supposed to be dynamic NAT?
No We're both learning this at the same time! LOL!
Try with:
nat (inside,outside) static interface service tcp ftp ftp
05-25-2010 12:44 PM
Hi,
According to the migration guide:
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html
Old Configuration
static (inside,outside) tcp 10.1.2.45 80 10.1.1.16 8080 netmask 255.255.255.255
Migrated Configuration
object network obj-10.1.1.16
host 10.1.1.16
nat (inside,outside) static 10.1.2.45 service tcp 8080 www
Hope it helps.
Federico.
05-25-2010 08:30 AM
I don't have that version of the code, but unless things have changed drastically, you might be able to try something like:
static (inside,outside) tcp interface 21 172.20.100.11 21
Then in your ACL, you'd put:
access-list OUTSIDE permit tcp any interface outside eq 21
HTH,
John
*** You really use the word "interface" ****
05-25-2010 09:07 AM
That old syntax and does not work with 8.3.1 code at all. That's my frustration. Static command is removed from 8.3.1.
In past when cisco deprecated some commands, the OS automatically converted the command syntax if old commands were typed. In this case, it complains that command has been deprecated but doesn't do conversion or point out right syntax.
See output below.
ASA(config)# static (inside,outside) tcp interface 21 172.20.100.11 21
ERROR: This syntax of nat command has been deprecated.
Please refer to "help nat" command for more details.
Needless to say that "help nat" command or the product documentation doesn't show a good example of how to achieve it. It shows how to do port forwarding using dedicated IP but nothing shows how to do with outside interface it self.
Thanks,
Sam
05-25-2010 11:47 AM
Okay,
I upgraded a 5505 here and I see what you mean.
From what I can guess, try this. You want your FTP traffic to be forwarded to 172.20.100.11. In the ASA type:
object network FTPSERVER
host 172.20.100.11
nat (inside,outside) dynamic interface
That's it....see if that works and PLEASE let me know because I have 2 firewalls in active/standby that have a TON of mappings in them. :-)
HTH,
John
05-25-2010 12:10 PM
Did not work. Here is my config.
object network obj-172.24.100.0
subnet 172.24.100.0 255.255.255.0
object network FTPSERVER
host 172.24.100.22
!
object-group service FTP-Service tcp
port-object eq ftp
port-object eq ftp-data
!
access-list outside-in extended permit tcp any host 172.24.100.22 object-group FTP-Service
!
object network obj-172.24.100.0
nat (inside,outside) dynamic interface
object network FTPSERVER
nat (inside,outside) dynamic interface
!
Are you sure its supposed to be dynamic NAT?
05-25-2010 12:39 PM
Are you sure its supposed to be dynamic NAT?
No We're both learning this at the same time! LOL!
Try with:
nat (inside,outside) static interface service tcp ftp ftp
05-25-2010 12:44 PM
Hi,
According to the migration guide:
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html
Old Configuration
static (inside,outside) tcp 10.1.2.45 80 10.1.1.16 8080 netmask 255.255.255.255
Migrated Configuration
object network obj-10.1.1.16
host 10.1.1.16
nat (inside,outside) static 10.1.2.45 service tcp 8080 www
Hope it helps.
Federico.
05-25-2010 12:58 PM
Works now.
I guess it will take a little time to get used to with new syntax. For some reason ASDM interface didn't let me save configuration with such NAT.
Thanks,
Sam
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: