Solved: NAT: Passive FTP with non standard port

salvatore.baldizzi · ‎08-21-2012

Hi all,

I have an ASA 5515 and four FTP server. Currently I have everything configured properly for three of the server that I need. For the fourth I have two possibilities:

1) use the IP configured for the external interface.

2) use one of the ip used for other FTP but uses another port.

Is possible option 1? I did not succeed.

I was then trying to use this configuration:

<public ip>: 2121 -> <internal ip> 21

<public ip>: 2120 -> <internal ip> 20

The problem is that I can just log in but not access to the folders.

I changed the service policy as well but still not working:

class-map inspection_default

match default-inspection-traffic

class-map FTP-2121

match port tcp range 2120 2121

!

policy-map global_policy

class inspection_default

inspect ftp

inspect esmtp

inspect h323 h225

inspect h323 ras

inspect http

inspect netbios

inspect pptp

inspect rsh

inspect rtsp

inspect sip

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect xdmcp

class FTP-2121

inspect ftp

Here is the output of sh service-policy:

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: ftp, packet 186535, lock fail 0, drop 188, reset-drop 0

Inspect: esmtp _default_esmtp_map, packet 6539637, lock fail 0, drop 0, reset-drop 0

Inspect: h323 h225 _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: h323 ras _default_h323_map, packet 0, lock fail 0, drop 0, reset-drop 0

Inspect: http, packet 1581437285, lock fail 0, drop 0, reset-drop 0

Inspect: netbios, packet 105420, lock fail 0, drop 0, reset-drop 0

Inspect: pptp, packet 0, lock fail 0, drop 0, reset-drop 0

Inspect: rsh, packet 7, lock fail 0, drop 0, reset-drop 0

Inspect: rtsp, packet 3857828, lock fail 0, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: sip , packet 3, lock fail 0, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: skinny , packet 0, lock fail 0, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: sqlnet, packet 0, lock fail 0, drop 0, reset-drop 0

Inspect: sunrpc, packet 0, lock fail 0, drop 0, reset-drop 0

tcp-proxy: bytes in buffer 0, bytes dropped 0

Inspect: tftp, packet 0, lock fail 0, drop 0, reset-drop 0

Inspect: xdmcp, packet 0, lock fail 0, drop 0, reset-drop 0

Class-map: FTP-2121

Inspect: ftp, packet 0, lock fail 0, drop 0, reset-drop 0

Ramraj Sivagnanam Sivajanam · ‎08-22-2012

Hi bro

If you were you, to achieve this requirement, I wouldn't use MPF. To much work, for a simple requirement. What I would do is as shown below;

static (inside,outside) tcp 202.188.1.14 2120 10.10.10.14 20 netmask 255.255.255.255

static (inside,outside) tcp 202.188.1.14 2121 10.10.10.14 21 netmask 255.255.255.255

access-list acl_outside permit tcp any host 202.188.1.14 range 20 21

access-group acl_outside in interface outside

Note: Please remove all the MPF commands that you've inserted, back to default.

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

Ramraj Sivagnanam Sivajanam · ‎08-22-2012

Hi bro

If you were you, to achieve this requirement, I wouldn't use MPF. To much work, for a simple requirement. What I would do is as shown below;

static (inside,outside) tcp 202.188.1.14 2120 10.10.10.14 20 netmask 255.255.255.255

static (inside,outside) tcp 202.188.1.14 2121 10.10.10.14 21 netmask 255.255.255.255

access-list acl_outside permit tcp any host 202.188.1.14 range 20 21

access-group acl_outside in interface outside

Note: Please remove all the MPF commands that you've inserted, back to default.

Warm regards,
Ramraj Sivagnanam Sivajanam

salvatore.baldizzi · ‎08-24-2012

It works!

The problem was the test that I did: there are restrictions on the use of ftp client and when I tried I could not make the list of folders. Changing client works!

Thanks!