Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
501
Views
0
Helpful
2
Replies

FTP with PAT not working

gseiler
Level 1
Level 1

‎06-29-2005 07:09 AM - edited ‎03-09-2019 11:42 AM

Hi, we have a problem to use Pat from an inside client to an outside ftp server

ex:

global (outside) 10 xx.232.3.13

nat (inside) 10 10.28.32.0 255.255.254.0 0 0

When we try to ftp for ex.to 137.69.200.8 from 10.28.32.36 we get

%PIX-3-305005: No translation group found for tcp src

outside:137.69.200.8/20 dst inside:xx.232.2.32/1113

if we use nat it works:

global (outside) 10 xx.232.3.1-xx.232.3.12

global (outside) 10 xx.232.3.13

nat (inside) 10 10.28.32.0 255.255.254.0 0 0

Fixup ftp is enabled. PIX OS is 6.3.3

According CCO , FTP should work with PAT. Any idea?

Regards Guenther

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎07-03-2005 09:16 PM

Sorry for the delay in responding.

This looks like Active FTP, where the outside FTP server opens up a new connection the inside host on source port 20. The FTP fixup should be opening up a hole to allow that outside-initiated connection to come in.

What I see is the following:

global (outside) 10 xx.232.3.13

nat (inside) 10 10.28.32.0 255.255.254.0 0 0

So the outbound initial connection will be PAT'd to come from xx.232.3.13, these are the packets the FTP server will see. The FTP server should ACK that connection, then start a new connection to the same address for the data channel.

The error message you're seeing for that failed connection though is this:

%PIX-3-305005: No translation group found for tcp src

outside:137.69.200.8/20 dst inside:xx.232.2.32/1113

which shows the the outside server tried to initiate a connection to xx.232.2.32, not xx.232.3.13 as your global command states. he PIX would not have opened up a hole for this (obviously), and so the PIX is treating it just like any other inbound connection, and because there's no static and ACL it is denying it.

Why would the outside FTP server be trying to start a connection to .32? Figure that out and you'll have your answer.

0 Helpful

gseiler
Level 1
Level 1
In response to gfullage

‎07-04-2005 12:11 AM

Hi , you are right with your assumption.

But I mixed up some commands and logs as the customer did a lot of testing.

The addresses and the corresponding log is as follows.

global (outside) 32 xx.232.2.32

nat (inside) 32 10.28.32.0 255.255.254.0 0 0

%PIX-3-305005: No translation group found for tcp src

outside:137.69.200.8/20 dst inside:xx.232.2.32/1113

I have opened a TAC case in the meantime.

Regards Guenther

0 Helpful
Customers Also Viewed These Support Documents