12-17-2007 07:23 AM - edited 03-12-2019 05:51 PM
Pix firmware 7.2.1, trying to run ftp on a nonstandard port(8021), appears that the inspection engine is causing issues. I have delted my default inspection policy, created a new one for ftp on port 8021, i can connect but never get the data channels to open, am I mising something with creating a new inpection policy? It does not work in either active or passive mode, and I do have the data channel port open, but never see a hit on that...
Thanks,
12-17-2007 07:36 AM
Could you share the new inspection policy for FTP on port 8021 and the relevant parts of the configuration, i.e. the following:
show run access-group
show run access-list
show service-policy
as well as where is the FTP server in relation to your ASA, i.e. on the inside or on the outside?
01-02-2008 07:12 AM
I Have the same problem with the NAtting FTP server using non standerd port 990 and it connects to the FTP client using the global addresses but never open the data channels b/c it use the local address even we tried to permit for the local IP addresses but the router keep denied them, what is the proper configuration for this? ...
01-04-2008 08:10 AM
have you tried to set-up the fix-up protocol?
01-04-2008 10:25 AM
thank you for asking, I did not try to use fixup but I found the problem when using FTP over SSL with ports 990 and 989, that will encrypt the control connection in the packet then when using NAT with FTPS (FTP over SSL) then the router will never read the global IP address because it encrypted , which we test the FTP server without nating and it has sccessfully connected to the natted FTP clients with no issues but when we put nat then the connections drop , now we need to cnfigure the ftp server to use the global ip address instead the private address in the payload of the packets, do you have an idea to achieve this?
01-04-2008 10:29 AM
I think I need some help understanding what you are doing.
host --- vpn --- host
Can you give me a general overview of the topology you are in so I can understand the set-up a little better?
01-04-2008 11:01 AM
I don't have VPN tunnel
FTPserver--router1811--MPLS--router--FTPclient
that is my topology and because the ftp over ssl is encrypt the packets so the site does not want to use VPN.
01-04-2008 11:14 AM
wow, sorry I missed that there.
right.
I think I understand correctly now.
When you send traffic from the FTP client it hits the router and is overloaded, the traffic goes through the network to the router at the server side and will see it from the overload(global) IP.
Question, how is the NAT set-up?
Can you provide that set-up?
I am not sure how to set this up the way you want so the client will see traffic from a different IP other than the global? The remote end do they have an ACL set-up? If they do then I would have them open the ACL for the network you are coming from rather than the NAT host.
For example:
static
access-list FTP-Server permit tcp host 10.1.1.1 any eq
So communication back from the client will use the public, but traffic from the server will use the global. The only way for the distant end to allow traffic is to have the acl set-up with the global in it.
i think...maybe...i hope!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide