Solved: ISR: publish FTP server in passive mode

Aliaksandr Tratseuski · ‎10-02-2015

Hi,

the problem is to make an FTP server in an internal network to be available from the outside (see picture below).

Router (ISR 2921 G2) is configured with NAT. There is a static translation mapping:

ip nat inside source static tcp 192.168.1.2 21 1.1.1.1 21 extendable

But connection from the outside could not be established: users get a timeout message.

I've examined these forums and found some similar topics, but the suggested solutions did not work for me. I believe that it's not enough just to make a static translation and there is a need of traffic inspection, but I'm not sure how to configure it.

Let's assume there are no any ACL on both interfaces. What should be configured to allow external access to FTP (passive mode)?

Thanks beforehand!

Richard Burts · ‎10-07-2015

Many of the FTP servers allow you to specify which ports they will use for passive FTP. Does your FTP server allow you to specify the ports? If so then select a range of ports and then do additional static translations for those ports similar to what you did for port 21.

HTH

Rick

HTH

Rick

View solution in original post

trfinkenstadt · ‎10-02-2015

Aliaksandr,

Do you have an ACL configured on the router (w/ nat)? Also, do you have any more NAT rules that are not provided thus far? I think you'll probably need some more NAT for the FTP server to be able to send replies but i can't recall completely at the moment.

Richard Burts · ‎10-02-2015

You are doing port forwarding for the TCP port 21 traffic but what about the TCP port 20 traffic?

HTH

Rick

HTH

Rick

trfinkenstadt · ‎10-02-2015

Doesn't passive mode FTP avoid the use of tcp 20?

Richard Burts · ‎10-02-2015

Interesting point. I believe that there is still a fundamental issue that FTP requires two ports, one for control and one for data (true of passive as well as active FTP). Passive FTP does not eliminate the second port but only makes it flexible about what that port will be. So the original post has an address translation for one port. To get FTP to work there must be some provision for the second port. So I will amend my question and instead of asking about port 20 traffic I will ask about forwarding for the second port that is required for FTP.

HTH

Rick

HTH

Rick

trfinkenstadt · ‎10-03-2015

Yes, that's what I was thinking with my comment about more NAT for the FTP server.

Aliaksandr Tratseuski · ‎10-05-2015

As I've told in the beginning, the aim is to realize FTP server in passive mode.

According to the picture below I need to open port 21 (in case of no ACL there is just a single static NAT translation) and perform NAT from the server from any high port:

I have an ACL, which selects traffic for being translated:

ip access-list extended NAT_SELECTOR
permit ip object-group GRP_DMZ_HOSTS_ALL any
deny ip any any

where:

object-group network GRP_DMZ_HOSTS_ALL
description #all hosts in DMZ#
host 192.168.1.2

As you can see from the diagram, there is a need to find out which data port will the server use in every single connection. So there is a need in some inspection (IMHO), am I right? If yes, how to implement it?

Aliaksandr Tratseuski · ‎10-07-2015

Up

Richard Burts · ‎10-07-2015

Many of the FTP servers allow you to specify which ports they will use for passive FTP. Does your FTP server allow you to specify the ports? If so then select a range of ports and then do additional static translations for those ports similar to what you did for port 21.

HTH

Rick

HTH

Rick

Richard Burts · ‎12-10-2015

This has been an interesting discussion and has brought up an important aspect of doing translation for protocols like FTP that use more than one port. I am glad that our responses have been helpful. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to recognize discussions with helpful material.

HTH

Rick

HTH

Rick

Aliaksandr Tratseuski · ‎12-15-2015

Thanks, Rick.