Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
665
Views
0
Helpful
4
Replies

Active FTP through CSS

emilyharris
Level 1
Level 1

‎06-08-2005 01:26 PM

I'm having trouble getting active FTP traffic to pass properly through the CSS from clients to servers. Only one server is doing FTP, so no load balancing is involved. Our outbound NAT address, from the servers, is different than the inbound VIP addresses. So we figured out that this must be part of the problem; that when the client initiates an FTP session to x.x.x.40, the server initiates the return originating from x.x.x.122. Passive works; but we have applications that need passive.

I'm trying to resolve the issue with ACLs. Here's some of the CSS configuration (IPs changed for privacy, of course):

owner Mail

content FTP

add service ec01

protocol tcp

port 21

vip address 10.10.10.40

application ftp-control

active

---------------

group outbound

vip address 10.10.10.122

active

group outbound_FTP

vip address 10.10.10.40

active

---------------

Now, here's the ACL that I tried, given what I understand about FTP:

clause 10 permit tcp 172.18.0.0 255.255.0.0 destination any gt 1023 sourcegroup outbound_FTP

clause 30 permit any 172.18.0.0 255.255.0.0 destination any sourcegroup outbound

clause 99 permit any any destination any

apply circuit-(VLAN172)

Am I missing something? The intent is that originating traffice over 1024 use the "outbound_FTP" group, and all other traffic uses the basic "outbound" group. Initially the clause 10 had "desintation any eq ftp", but I realizes that initiating return from the server was going to be a high port.

EMILY

Labels:
0 Helpful
4 Replies 4

Gilles Dufour
Cisco Employee
Cisco Employee

‎06-08-2005 10:21 PM

Emily,

I believe this should work assuming your server ip address is in the range 172.18.x.x.

Regards,

Gilles.

0 Helpful

emilyharris
Level 1
Level 1
In response to Gilles Dufour

‎06-09-2005 05:11 AM

Thank you for your reply. Unfortunately, it doesn't work. Without "clause 10" all outbound traffic works fine; active FTP does not, for the reasons I posted earlier. When I add clause 10, all outbound traffic still works fine, but the active FTP still doesn't work.

I'm going to test it putting ALL outbound traffic through 10.10.10.40 (well, our version of it) and if that still doesn't work, it must be something else. I can't imagine what, though - the server firewall was removed completely and it still didn't pass the active FTP.

Ah well....more will be tested and tried...

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to emilyharris

‎06-09-2005 05:51 AM

if you don't want to have to test different *solutions*, you should try to capture a sniffer trace and figure out what is exactly the problem.

Just an advice :-)

Also, what is your software version ?

Gilles.

0 Helpful

emilyharris
Level 1
Level 1
In response to Gilles Dufour

‎06-09-2005 07:24 AM

You're right - a sniffer would be the smart thing. Heh.

FYI it's 7.40.1.03

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card