Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access FTP Sever in inside interface with Public IP

Hi,

I have a ftp server in my inside zone of ASA, One of my application team needed to access that ftp server in the inside interface with the Public IP. If they were using a url for that I could have used "dns doctoring". I tried with the following NAT

static (inside, inside) <localip> <publicip>

but ASA thinking that it is an attack

Note: Both Client and FTP server are in the same network hence the zone which is inside.

  • Firewalling
Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Access FTP Sever in inside interface with Public IP

Correct, if you already have NAT statement on that interface, then you would need the global (inside) command. Otherwise, if there is no NAT statement at all on that interface, you can disable nat-control, and the connection would work.

Also, if you have ACL assigned to the inside interface, you would need to allow the traffic:

access-list permit tcp host eq 21

6 REPLIES
Cisco Employee

Re: Access FTP Sever in inside interface with Public IP

It should be as follows:

static (inside, inside) netmask 255.255.255.255

global (inside) 1 interface

same-security-traffic permit intra-interface

New Member

Re: Access FTP Sever in inside interface with Public IP

halijenn,

Nat syntax is ilike

nat (real int, mapped int) mapped ip  real ip netmask ??/

in my case I want to replace my public ip with my local ip, what is the logic behind  static (inside, inside) netmask  255.255.255.255


Also pls let me know why we require the following??

global (inside) 1 interface

This is just to clear my understanding!!!

Cisco Employee

Re: Access FTP Sever in inside interface with Public IP

For normal static (inside,outside) statement, you would configure the following: static (inside,outside) , so the concept is the same for static (inside,inside).

You are trying to reach the public ip, so the first ip address in the static statement should be the public-ip, and the second ip is the local-ip.

The reason why you need "global (inside) 1 interface" is you still need translation for the source address which is your internal host. The static statement above is for destination translation.

New Member

Re: Access FTP Sever in inside interface with Public IP

The first part is clear now ,,

Since the host and the server is in the same zone (inside), why we need source translaion??? You meant for nat-control??

Cisco Employee

Re: Access FTP Sever in inside interface with Public IP

Correct, if you already have NAT statement on that interface, then you would need the global (inside) command. Otherwise, if there is no NAT statement at all on that interface, you can disable nat-control, and the connection would work.

Also, if you have ACL assigned to the inside interface, you would need to allow the traffic:

access-list permit tcp host eq 21

New Member

Re: Access FTP Sever in inside interface with Public IP

Thanks a lot.. Let me try now!!!

360
Views
0
Helpful
6
Replies