Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static Nat to FTP server-ASA5505

Hi All,

Have an ASA 5505 with 2 public IP's, multiple site to site VPNs.

First issue: Trying to set up a static nat from public to private for an FTP server. I thought i had the statements correct, but attemting to connect via ftp to the internal ftp server just times out.  A Packet trace shows it fails on the global NAT statement for the outside_in ACL I think, but am unsure how to fix that and do not want to mess up the Nat for the tunnels.

Second issue: Will setting up the Cisco clientless SSL vpn on the box interfere with any of the site to site tunnels? I dont think it would but want to make sure.

Config attached, all replies appreciated.

3 REPLIES
Green

Re: Static Nat to FTP server-ASA5505

You need...

access-list outside_access_in extended permit tcp any host 69.28.112.254 eq ftp

New Member

Re: Static Nat to FTP server-ASA5505

Thanks, I tried that command and it still does't work.

I can ping the internal host from the ASA CLI, so the internal host is live.

Even tried adding a static net command after the comand you suggested with no results.

Removed both commands for now.

I still think the gloabl NAT statements are interfering with this , just not sure how. 

I turned on logging after the command you suggested and do not even see in the log my external ip even trying to connect via ftp, no errors, nothing.

Strange...

Bronze

Re: Static Nat to FTP server-ASA5505

I my experience, using the same IP (ie. interface ip) for Static NAT and NAT overload or PAT causes xlate issues like you're seeing. If you have another public IP for use with the static NAT trying using that and see if the issue is resolved.

Hopefully this line is just for debug purposes and not a permanent ACL:

access-list outside_access_in extended permit ip any any log debugging

All incoming traffic to the outside interface will be subject to the outside_access_in ACL, including VPN traffic. With VPN traffic though you can enable 'sysopt connection permit-vpn' to ignore all ACLs. Your packet-tracer results sound normal.
Configuring SSL VPN shouldn't affect your site-to-site tunnels at all. You can implement SSL VPN on an existing group-policy and tunnel-group used for IPSec Client VPN if you wish.
Hope that helps.
James

1192
Views
0
Helpful
3
Replies