How to avoid dst-nat masquing origin IP address...

I have a dst-nat rule that redirects connections to the untrusted interface on port 21 to the internal ip where ftp server resides, obviously to port 21.
The problem is that logs in the ftp server use to reflect the internal IP address of the router as the ftp session origin.

Is there a way to avoid this and keep the remote IP address of the session as the origin to keep the logs useful?

RULES (some ommited):
[admin@IMPRINTSA] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic

1 chain=srcnat src-address=10.154.24.0/24
dst-address=10.33.0.0/16 action=accept

2 chain=dstnat in-interface=ADSL protocol=udp
dst-port=20 action=dst-nat
to-addresses=10.154.24.117 to-ports=20

3 chain=dstnat in-interface=ADSL protocol=tcp
dst-port=21 action=dst-nat
to-addresses=10.154.24.117 to-ports=21

7 chain=dstnat in-interface=WIRELESS protocol=udp
dst-port=20 action=dst-nat
to-addresses=10.154.24.117 to-ports=20

8 chain=dstnat in-interface=WIRELESS protocol=tcp
dst-port=21 action=dst-nat
to-addresses=10.154.24.117 to-ports=21

13 chain=srcnat action=masquerade

Txs!

AFAIK no, thats simply the way NAT works.

Change

chain=srcnat action=masquerade

to

chain=srcnat out-interface=ADSL action=masquerade

I have used many other reverse nat devices (ci$co,netscreen,…) and they do not act this way…

About the post from yancho, I think that should not solve the problem as the rule you specify is the outgoing one. In fact, i need it that way because of an “auto-swapping” default route that swings from one external interface to the other.

Your rule:

chain=srcnat action=masquerade

Will match everything.

Since you can’t match on outgoing interface, due to your routing, just match on the IPs you want to MASQ:

chain=srcnat src-address=10.154.24.0/24 action=masquerade

–Eric

Txs alot, that really solved the problem!