Need help in source and destination translation

Unanswered Question
Jul 28th, 2010

Dear all,

     I have some complicated source and destination translation need to do in ASA firewall version 8.2.1, below are the details:

site A firewall--------------Site B ASA------------Site C firewall  or Site D public internet

Site A and B are IPSEC VPN connected, B and C are IPSEC VPN connected.

What I want to acheive is to allow Site A servers to access ftp server in Site C and Site D without making changes to Site A's firewall since those firewalls belong to other partners and it takes very very long time for they to response for any changes. Site B is our company's firewall and we can make any changes on it.

My optimum thinking is: to access ftp server in Site C from Site A, it will ftp to a virtual address in Site B eg. ,

1) then in Site B's firewall it will translate the ftp packet's source to Site B's address eg. ,

2) translate packet's destination from to server)

Access to site D is the same logic except Site B to Site D is normal internet connection.

So  far I can do 1) the source translation  but can't do 2)  , anyone has ideas for that?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Nagaraja Thanthry Wed, 07/28/2010 - 06:40


I am assuming that you are U-Turning the traffic on the ASA i.e. when the

traffic from Site A hits your firewall, you will send it through another

tunnel on the same firewall. With that, you could try the configuration


access-list FTP_Server permit ip host

static (outside,outside) access-list FTP_Server

same-security-traffic permit intra-interface

This will translate to when going to Site A. You

need to make sure that you modify your Crypto ACL's accordingly to

accommodate connections from Site A to and from your site to

Site C.

Hope this helps.



laimeitak Thu, 07/29/2010 - 04:20

Dear NT,

     I have input the three command but still can't get it to work,  What do you mean to " modify your Crypto ACL's accordingly to

accommodate connections from Site A to and from your site to

Site C. " . Since all the three sites has the full subnet set in the vpn's setting and also the ACL list and I am accessing which is part of the site B subnet, so I don't know what to modify.

I also need to have site A to access site D which is an internet ftp server and this task is more urgent to me, it seems more complicated since I have to dynamic source translation for  the site A subnet to site B asa's firewall outside interface.

Before I post this thread, actually I have searched a lot in internet and find some suggestion from internet and also cisco doc but still can't get it to work, I have attached the note I've mark down.

Thank you very much.




This Discussion