FTP through ACE

rodrigo.hernandez · ‎01-31-2013

Dear Mister

I need to pass FTP through ACE, but the is not functioning.

The FTP is not functioning using VIP. It is a connection toward a NAT ip address. I have the next configuration:

class-map match-all NAT2020-PRUEBA

2 match source-address 10.40.20.20 255.255.255.255

interface vlan 401

description "Conexion a Servidores Reales CERT"

ip address 10.84.255.10 255.255.255.248

no shutdown

interface vlan 450

description "Conexion a FWSM-CERT"

ip address 10.40.150.3 255.255.255.128

service-policy input NATTEST

no shut

I need to do the NAT using the real IP 10.40.150.10.

policy-map multi-match NATTEST

class NAT2020-PRUEBA

nat static 10.40.150.10 netmask 255.255.255.255

In this scenary, the NAT is not functioning.

I tried to user the next:

switch/cert(config-pmap-c)# nat static 10.40.150.10 netmask 255.255.255.255 21 vlan 401

But send the next message.

Error: Invalid real port configured for NAT static

switch/cert(config-pmap-c)#

How I could fix this problem????

Some inspect???

Best Regards

mwinnett · ‎02-06-2013

Config is as follows. You need the 2 class-maops, one for vip and one for the servers. If not, then the PASV statement will not get the server IP translated

Matthew

rserver host 810

ip address 1.8.1.10

inservice

rserver host 811

ip address 1.8.1.11

inservice

serverfarm host 8xx rserver 810

inservice

rserver 811

inservice

class-map match-all ftp-source

2 match source-address 1.9.1.0 255.255.255.0

class-map match-all vip-ftp

10 match virtual-address 1.9.1.209 tcp eq ftp

policy-map type loadbalance first-match round-robin-8xx

class class-default

serverfarm 8xx

policy-map multi-match lb-vip

class vip-ftp

loadbalance vip inservice

loadbalance policy round-robin-8xx

loadbalance vip icmp-reply

inspect ftp

class ftp-source

nat dynamic 1 vlan 468

interface vlan 468

description Server vlan

ip address 1.8.1.201 255.255.255.0

nat-pool 1 1.8.1.208 1.8.1.208 netmask 255.255.255.255 pat

no shutdown

interface vlan 469

description Client vlan

ip address 1.9.1.201 255.255.255.0

service-policy input lb-vip

no shutdown

ip route 0.0.0.0 0.0.0.0 1.9.1.254

rodrigo.hernandez · ‎02-06-2013

Thank mister

But at this point, a have static NAT. I put before just a one FTP Rserver, but really, are two.

In essence, I need two STATIC nat. I am not using PAT.

How could I do this?

Best Regards

mwinnett · ‎02-06-2013

Rodrigo, sorry I don't follow what you are trying to do. In terms of NAT, you have destination nat as the client connects to the VIP address. I assume that you have a problem with source nat - is that correct. Are you sayin that you have 2 clients and you want to static nat each one to different values ? Matthew

rodrigo.hernandez · ‎02-06-2013

Thanks Mattew

My problem is with the FTP, using these NATs.

The reals IPs must to be see from the outside in this way:

10.40.20.20 ( Real Server) --> 10.40.150.20 (nop vip)

10.40.21.20 ( Real Server) --> 10.40.150.21 (nop vip)

In this scenary, the clients need to get and put files in this Servers FTP (10.40.150.20 and 21), without load balancing.

In this scenary, I connect to then servers, but when I try to do a "ls", or "dir" o get some file, is not functioning.

Best Regards

mwinnett · ‎02-06-2013

So you want the clients to access rserver 10.40.20.20,via ftp to 10.40.150.20 and rserver 10.40.21.20 via ftp to 10.40.150.21 ? The rservers expect to see the real client source address ? Matthew

rodrigo.hernandez · ‎02-06-2013

Mattew

About that :

The rservers expect to see the real client source address ? Matthew

Yes, that is correct.

Maybe, I am not fully understan the functioning of FTP. Customer in appearance is making Passive FTP.

Regards

mwinnett · ‎02-07-2013

This should do what I think you want to do. THis also does source-nat. If you dont-t ewant this, then delect the class-maps ftp-810 & ftp-811 and the nat statements from vlan 468. Matthew

rserver host 810

ip address 1.8.1.10

inservice

rserver host 811

ip address 1.8.1.11

inservice

serverfarm host sf-810

rserver 810

inservice

serverfarm host sf-811

rserver 811

inservice

class-map match-all ftp-810

2 match virtual-address 1.9.1.209 tcp any

class-map match-all ftp-811

2 match virtual-address 1.9.1.208 tcp any

class-map match-all vip-ftp-10

10 match virtual-address 1.9.1.209 tcp eq ftp

class-map match-all vip-ftp-11

10 match virtual-address 1.9.1.208 tcp eq ftp

policy-map type loadbalance first-match pm-ftp-10

class class-default

serverfarm sf-810

policy-map type loadbalance first-match pm-ftp-11

class class-default

serverfarm sf-811

policy-map multi-match lb-vip-10

class vip-ftp-10

loadbalance vip inservice

loadbalance policy pm-ftp-10

loadbalance vip icmp-reply

inspect ftp

class ftp-810

nat dynamic 9 vlan 468

policy-map multi-match lb-vip-11

class vip-ftp-11

loadbalance vip inservice

loadbalance policy pm-ftp-11

loadbalance vip icmp-reply

inspect ftp

class ftp-811

nat dynamic 8 vlan 468

interface vlan 468

description Server vlan

ip address 1.8.1.201 255.255.255.0

nat-pool 9 1.8.1.209 1.8.1.209 netmask 255.255.255.255 pat

nat-pool 8 1.8.1.208 1.8.1.208 netmask 255.255.255.255 pat

service-policy input remote-access

interface vlan 469

description Client vlan

ip address 1.9.1.201 255.255.255.0

service-policy input lb-vip-10

service-policy input lb-vip-11

ip route 0.0.0.0 0.0.0.0 1.9.1.254