cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2425
Views
0
Helpful
23
Replies

PAT on PPPOE ( DHCP) interface

imranbhatti151
Level 1
Level 1

Hi all,

i am first time using the new ASA IOS ( 8.4) and frankly i am in trouble

I have one PPPOE interface ( Ip assigned from DHCP) i want to use PAT on that interface and divert FTP traffic to the host inside

Can any one please help me in resolving this issue

I am using below command but unfortuntely it is not working

object network ftp_server

nat (inside,outside) static interface service tcp 21 21

access-list FTP_IN extended permit tcp any object  ftp_server eq 21

access-group FTP_IN in interface outside

Sh xlate

TCP PAT from inside:172.16.93.12 21-21 to outside:83.x.x.x 21-21

    flags sr idle 0:07:14 timeout 0:00:00

Below is the  complete config

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 1

72.16.93.0 255.255.255.0 10.175.111.0 255.255.255.0

access-list inside_access_in extended permit ip 172.16.93.0 255.255.255.0 any

access-list DMZ_access_in extended permit ip 10.175.111.0 255.255.255.0 any

access-list DMZ_access_in extended permit icmp any any

access-list DMZ_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any

172.16.93.0 255.255.255.0

access-list DMZ_access_in extended deny ip any any

access-list outside_access_in extended deny ip any any

access-list FTP_IN extended permit tcp any object ftp_server eq ftp

nat (DMZ,outside) source dynamic any interface

nat (inside,outside) source dynamic any interface

nat (inside,DMZ) source static any any

!

object network obj_any

nat (inside,outside) dynamic interface

object network ftp_server

nat (inside,outside) static interface service tcp ftp ftp

access-group inside_access_in in interface inside

access-group FTP_IN in interface outside

access-group DMZ_access_in in interface DMZ

Lookinf for support from community

1 Accepted Solution

Accepted Solutions

lcambron
Level 3
Level 3

Looks like this line is also conflicting with the FTP NAT.

 

nat (DMZ,outside) source dynamic any interface

Try replacing it with this:

no nat (DMZ,outside) source dynamic any interface

object network any-dmz

subnet 0 0

nat (DMZ,outside) dynamic interface

Make this change, clear xlates and run the packet trace again.

Felipe.

View solution in original post

23 Replies 23

integreon
Level 1
Level 1

NAT-Control is removed in 8.3|8.4 versions. Use these commands

If I understand your post correctly, you want to do a dynamic PAT of all hosts on the inside interface when they go out the outside. Use below commands.

object network any-0

     subnet 0.0.0.0 0.0.0.0

     nat (inside,outside) dynamic interface

or

nat (inside,outside) after-auto source dynamic any interface

Hope this helps.

Regards,

Anton

No

I want that someone come from outside on outside interface ip and it should directed to the inside host ( 172.16.93.12)

( for FTP)  As we do not have pool for the Global Ip addresses.

Hey Imram,

Follow these steps.

Step 1: Create a new object group for you web server.

(config)# object network ftpserver

Step 2: Add the IP of the web server to the network group.

(config-network-object)# host 172.16.93.12

Step 3: Forward the port via the NAT command.

(config-network-object)# nat (inside,dmz) static interface service tcp ftp ftp

Step 4: Exit back to the root and add the access list

(config)# access-list outside_access_in permit tcp any object ftpserver eq ftp

Hope it helps.

Best regards,

Anton

Dear Anton

Thanks for your reply,

I have done same setting but i am unable to connect from outside

i got hits in the implicit deny in the outside interface but no hit on the above access-list ( allowing for ftp)

Any other possible reasons  ??

Its because of this.

access-list outside_access_in extended deny ip any any

you need to allow ftp

access-list ourside_access_in permit tcp any object ftpserver eq ftp

Hope this helps.

Regards,

Anton

Dear Anton ,

Thanks for your reply.

I have already added this acl

but hit count is increasing on the deny statment not on the allow statment.

very surprise to me ?

Not sure what exactly be the resaon.

Hi Imran,

Can you share your full configuration.

Anton

lcambron
Level 3
Level 3

Can you share the output of:

show run access-group

show access-list FTP_IN

show run nat

You said you don't see hit counts on the ACL.

Seems like you have these two ACLs;

access-list outside_access_in extended deny ip any any

access-list FTP_IN extended permit tcp any object ftp_server eq ftp

If the first one is applied inbound to the outside interface, the second one is not applied.

Captures and packet-tracer migth help.

access-list capture permit tcp any ftp_public_IP eq ftp

capture test access-list capture interface outside

show cap test

packet in outside tcp 8.8.8.8 1025 ftp_public_IP 21

Felipe.

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

On the show xlate we can see the translation being built.

On the access-groups you have the following:

access-group FTP_IN in interface outside

access-list FTP_IN extended permit tcp any object ftp_server eq ftp

So the ACL is only allowing connections to the FTP server on port 21 witch is what you are looking for.

If you do a ASP capture you will see if the ASA is dropping the packets witch you have this configured like you posted on this post, it should not be happening.

here is the capture you need to make and then attempt a connection:

capture asp type asp-drop all

Try to connect to the FTP server from the outside and finally provide us the following:

Show cap asp   | include x.x.x.x ( Ip address of the host you made the connection from)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

HI ALL,

Below is the detail config and the packet trace

It seems some NAT error but i am not sure why the nat error ?

Looking forward for your support

: Saved

:

ASA Version 8.4(2)

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/5

switchport access vlan 12

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.93.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group ISP

ip address pppoe setroute

!

interface Vlan12

nameif DMZ

security-level 50

ip address 10.175.111.1 255.255.255.0

!

ftp mode passive

same-security-traffic permit inter-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network uaelan

subnet 172.16.93.0 255.255.255.0

object network dmz_net

subnet 10.175.111.0 255.255.255.0

object network ftpserver

host 172.16.93.12

object-group network dmz

network-object 10.175.111.0 255.255.255.0

object-group network inside

network-object 172.16.93.0 255.255.255.0

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 172.16.93.0 255.255.255.0 10.175.111.0 255.255.255.0

access-list inside_access_in extended permit ip 172.16.93.0 255.255.255.0 any

access-list DMZ_access_in extended permit ip 10.175.111.0 255.255.255.0 any

access-list DMZ_access_in extended permit icmp any any

access-list DMZ_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any 172.16.93.0 255.255.255.0

access-list DMZ_access_in extended deny ip any any

access-list outside_access_in extended permit tcp any object ftpserver eq ftp

access-list global_access extended permit ip any any

nat (DMZ,outside) source dynamic any interface

nat (inside,outside) source dynamic any interface

nat (inside,DMZ) source static any any

!

object network obj_any

nat (inside,outside) dynamic interface

object network ftpserver

nat (inside,outside) static interface service tcp ftp ftp

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group DMZ_access_in in interface DMZ

access-group global_access global

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

vpdn group ISP request dialout pppoe

vpdn group ISP localname ASA842

vpdn group ISP ppp authentication pap

vpdn username ASA842 password ***** store-local

dhcpd auto_config outside

!

dhcpd address 172.16.93.101-172.16.93.250 inside

dhcpd dns 172.16.93.12 interface inside

dhcpd lease 691200 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

Hello,

Packet-tracer should be pointing to the outside interface of your asa.

Do it again!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks for reply

It shows some implicit deny rule error

sh accesss-list outside_access_in

access-list outside_access_in; 2 elements; name hash: 0x6892a938

access-list outside_access_in line 1 extended permit tcp any object ftpserver eq

ftp log notifications interval 300 (hitcnt=0) 0x33d02b01

  access-list outside_access_in line 1 extended permit tcp any host 172.16.93.12

eq ftp log notifications interval 300 (hitcnt=1) 0x33d02b01

access-list outside_access_in line 2 extended deny ip any any log informational

interval 300 (hitcnt=106) 0x2c1c6a65

sh run access-group

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group DMZ_access_in in interface DMZ

Attached is the snapsohot

Hello Imra,

access-list outside_access_in line 1 extended permit tcp any object ftpserver eq

ftp log notifications interval 300 (hitcnt=0) 0x33d02b01

Please do the following:

no access-list outside_access_in line 1 extended permit tcp any object ftpserver eq ftp

access-list outside_access_in line 1  permit tcp any host 172.16.93.12 eq 21

Then give it a try!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Dear julio

thanks for your reply

still the same issue,

not able to connect ftp rom outiside

Any thing is wrong , why packet stuck on implicit denty policy of outside interface

what should i do now ?

now below is the access-list ( Outside_access_in )

access-list outside_access_in; 1 elements; name hash: 0x6892a938

access-list outside_access_in line 1 extended permit tcp any host 172.16.93.12 e

q ftp (hitcnt=0) 0xbd7b5852

sh run access-group

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group DMZ_access_in in interface DMZ

and sh nat details

Manual NAT Policies (Section 1)

1 (DMZ) to (outside) source dynamic any interface

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 0.0.0.0/0, Translated: 83.X.X.X/32

2 (inside) to (outside) source dynamic any interface

    translate_hits = 320653, untranslate_hits = 51063

    Source - Origin: 0.0.0.0/0, Translated: 83.X.X.X/32

3 (inside) to (DMZ) source static any any

    translate_hits = 20117, untranslate_hits = 19926

    Source - Origin: 0.0.0.0/0, Translated: 0.0.0.0/0

Auto NAT Policies (Section 2)

1 (inside) to (outside) source static ftpserver interface   service tcp ftp ftp

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 172.16.93.12/32, Translated: 83.X.X.X/32

    Service - Protocol: tcp Real: ftp Mapped: ftp

2 (any) to (outside) source dynamic obj_any interface

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 0.0.0.0/0, Translated: 83.X.X.X/32

sh run nat

nat (DMZ,outside) source dynamic any interface

nat (inside,outside) source dynamic any interface

nat (inside,DMZ) source static any any

!

object network obj_any

nat (any,outside) dynamic interface

object network ftpserver

nat (inside,outside) static interface service tcp ftp ftp

sh xlate | incl 172.16.93.12

TCP PAT from inside:172.16.93.12 21-21 to outside:83.x.x.x 21-21

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: