https://community.cisco.com/t5/application-networking/ace-source-nat-inspect-ftp/m-p/1086686#M22005 <HTML><HEAD></HEAD><BODY><P>OK, but how do I apply that on the outbound NAT, which is matched against a Layer 3 ACL? </P><P></P><P>(I also noted I could not create Layer 4 ACLs after upgrading)</P><P></P><P></P></BODY></HTML> Tue, 04 Nov 2008 14:38:43 GMT acennami 2008-11-04T14:38:43Z https://community.cisco.com/t5/application-networking/ace-source-nat-inspect-ftp/m-p/1086684#M22003 <P>Since upgrading to the A2 code from the 1.6.3 code you must apply inspect ftp on a layer 3 class.</P><P></P><P>This has broken my outbound NAT when using FTP, and I'm wondering what the workaround is. In A2, all of the 'inspect ftp' statemens below are invalid. But I also don't know how I would be able to match the servers on a layer 3 basis to get the inspect ftp command to accept inside the class??</P><P></P><P>Right now I'm stuck on 1.6.3, which has a serious bug that warrants upgrading, but I'm not sure how to get FTP inspection inside my NAT classes.</P><P></P><P></P><P></P><P>policy-map multi-match NAT-Policy</P><P> class DST-NAT-internal</P><P> nat dynamic 500 vlan 410</P><P> class DST-NAT-accuratenxg</P><P> nat dynamic 131 vlan 310</P><P> class DST-NAT-accurate1</P><P> nat dynamic 21 vlan 310</P><P> class DST-NAT-margin1p</P><P> nat dynamic 22 vlan 310</P><P> class DST-NAT-nuflowdb1p</P><P> nat dynamic 23 vlan 310</P><P> class DST-NAT-nuflowsch1</P><P> nat dynamic 24 vlan 310</P><P> class DST-NAT-nuflowweb</P><P> nat dynamic 25 vlan 310</P><P> class DST-NAT-reconapp1</P><P> nat dynamic 26 vlan 310</P><P> class DST-NAT-recondb1p</P><P> nat dynamic 27 vlan 310</P><P> class DST-NAT-clrdb1p</P><P> class DST-NAT-bsatech-ftp</P><P> nat dynamic 28 vlan 310</P><P> inspect ftp</P><P> class DST-NAT-bsatech</P><P> nat dynamic 28 vlan 310</P><P> class DST-NAT-bsaclearing-ftp</P><P> nat dynamic 30 vlan 310</P><P> inspect ftp</P><P> class DST-NAT-bsaclearing</P><P> nat dynamic 30 vlan 310</P><P> class DST-NAT-gloss1</P><P> nat dynamic 32 vlan 310</P><P> connection advanced-options TCP_Timeout_Sybase</P><P> class SRC-NAT-bpsadv1p</P><P> nat dynamic 33 vlan 310</P><P> class SRC-NAT-jedi1p</P><P> nat dynamic 34 vlan 310</P><P> inspect ftp</P> Fri, 31 Oct 2008 20:58:29 GMT https://community.cisco.com/t5/application-networking/ace-source-nat-inspect-ftp/m-p/1086684#M22003 acennami 2008-10-31T20:58:29Z https://community.cisco.com/t5/application-networking/ace-source-nat-inspect-ftp/m-p/1086685#M22004 <HTML><HEAD></HEAD><BODY><P>you should only apply the inspect ftp command to a class-map that matches x.x.x.x:21.</P><P>Do not apply it to anything else.</P><P>Make sure to run version A2(1.2) </P><P></P><P> CSCsr46740: FTP Inspect failing to fixup IP address in FTP PORT request</P><P></P><P>Gilles.</P></BODY></HTML> Tue, 04 Nov 2008 13:51:27 GMT https://community.cisco.com/t5/application-networking/ace-source-nat-inspect-ftp/m-p/1086685#M22004 Gilles Dufour 2008-11-04T13:51:27Z https://community.cisco.com/t5/application-networking/ace-source-nat-inspect-ftp/m-p/1086686#M22005 <HTML><HEAD></HEAD><BODY><P>OK, but how do I apply that on the outbound NAT, which is matched against a Layer 3 ACL? </P><P></P><P>(I also noted I could not create Layer 4 ACLs after upgrading)</P><P></P><P></P></BODY></HTML> Tue, 04 Nov 2008 14:38:43 GMT https://community.cisco.com/t5/application-networking/ace-source-nat-inspect-ftp/m-p/1086686#M22005 acennami 2008-11-04T14:38:43Z https://community.cisco.com/t5/application-networking/ace-source-nat-inspect-ftp/m-p/1086687#M22006 <HTML><HEAD></HEAD><BODY><P>You only need to inspect the control channel (normally port 21) on inbound.</P><P>Inspection should detect all your nating (inbound and outbound) and do the rest correctly.</P><P>It was broken in A2(1.0) and was fixed in A2(1.2).</P><P></P><P>Gilles.</P></BODY></HTML> Tue, 04 Nov 2008 14:45:59 GMT https://community.cisco.com/t5/application-networking/ace-source-nat-inspect-ftp/m-p/1086687#M22006 Gilles Dufour 2008-11-04T14:45:59Z