Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1634
Views
0
Helpful
1
Replies

Cisco ACE - FTP inspection with NAT

craig.petty
Level 1
Level 1

‎08-18-2012 06:11 PM 

I need assistance getting FTP inspection to work with NAT.

NAT is working, but not with FTP inspection.  When
the client issues the PASV command, the server reply contains the original (not nat'd) IP
address.  For example this is what the client sees:

-> PASV
<- 227 Entering Passive Mode (192,168,200,114,7,175)
192.168.200.114 is the server's real IP.  I want it to show the NAT'd IP which is
10.16.20.114.
=== RELEVANT CONFIG ===

access-list NAT line 10 extended permit ip 192.168.200.0 255.255.255.0 any

class-map match-any NAT_CLASS

  3 match access-list NAT

class-map match-any FTP_TRAFFIC

  2 match port tcp eq ftp

policy-map multi-match multimatch_dmz.pm

  class NAT_CLASS

    nat static 10.16.22.0 netmask 255.255.255.0 vlan 100

  class FTP_TRAFFIC

    inspect ftp

interface vlan 36

  ip address 192.168.200.2 255.255.255.0

  alias 192.168.200.1 255.255.255.0

  peer ip address 192.168.200.3 255.255.255.0

  service-policy input management_vl36

  service-policy input multimatch_dmz.pm

  no shutdown

=== END ===


Labels:
0 Helpful
1 Reply 1

craig.petty
Level 1
Level 1

‎08-18-2012 08:36 PM

I was able to find the solution.  I was not applying 'inspect ftp' to the correct interface.  FTP inspection needs to be applied on the interface facing the ftp client.  Which in my case is interface vlan 100 (not shown above).  I was mistakenly applying it on the interface facing the FTP server.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card