cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2011
Views
5
Helpful
9
Replies

Does it Possible? Double non standard-port FTP servers on PAT?

Timohamoto
Level 1
Level 1

Hello everyone!

I need to know how to configure 2 ftp servers for following topology on pic.

non standard ports

I can do translation on 1 ftp server (http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13776-6.html)

but when I am trying to add second FTP server I get following:

#ip nat inside source static 192.168.1.129 46.229.139.130
% similar static entry (192.168.1.236 -> x.x.y.y) already exists

 

Thank you.

1 Accepted Solution

Accepted Solutions

Full address translation is where you unconditionally translate an outside address to an inside address as you've done below:

ip nat inside source static 192.168.1.129 46.229.139.130

This requires that all traffic, regardless of port or protocol, is translated to a single inside host. This doesn't allow you to translate to multiple inside hosts under most circumstances. (You can do it with route maps if you have known source and destination addresses for your traffic, but this isn't typical of Internet FTP sites.)

If you go with port-based address translation, where you're only translating traffic on particular ports, you can send ports on the same outside address to different hosts, like this:

ip nat inside source static tcp 192.168.1.129 21 46.229.139.130 21
ip nat inside source static tcp 192.168.1.130 21 46.229.139.130 2100

With this approach, you can use the instructions in the previously-linked document to add port numbers for FTP processing.

---
Jody Lemoine, Network Architect
CCIE 41436, MTCRE, MTCINE, MTCIPv6E
tishco networks, Virtually Everywhere
(905) 378-1134, jody.lemoine@tishco.ca

View solution in original post

9 Replies 9

ghostinthenet
Level 7
Level 7

In this case, you're doing NAT entries for the full address of the server rather than just the FTP port. This isn't going to work because the router won't know which of the two inside addresses to translate to. You have a conflict.

If you want to forward FTP on a different port to a different server, you'll need to either use a second outside address if you want to keep using full address translation or you'll need to switch to forwarding ports. I recommend the first option because port-based NAT can be a little hairy with FTP.

If you really want to do multiple FTP ports with port-based NAT, you can use "ip nat service" command to define what ports the router should apply FTP behaviour to.

Full details can be found here: http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13776-6.html

---
Jody Lemoine, Network Architect
CCIE 41436, MTCRE, MTCINE, MTCIPv6E
tishco networks, Virtually Everywhere
(905) 378-1134, jody.lemoine@tishco.ca

Hello, Jody.

What do you mean by full address translation?

I have scope of user's pc and 2 FTP servers. Everything works only with one public IP address in one private subnet. I will try to figure out only option 2. Your link is very helpfull for me and it's similar to my link above) 

Could you provide simple configuration example code for my case?

Thank you for information! =) 

Full address translation is where you unconditionally translate an outside address to an inside address as you've done below:

ip nat inside source static 192.168.1.129 46.229.139.130

This requires that all traffic, regardless of port or protocol, is translated to a single inside host. This doesn't allow you to translate to multiple inside hosts under most circumstances. (You can do it with route maps if you have known source and destination addresses for your traffic, but this isn't typical of Internet FTP sites.)

If you go with port-based address translation, where you're only translating traffic on particular ports, you can send ports on the same outside address to different hosts, like this:

ip nat inside source static tcp 192.168.1.129 21 46.229.139.130 21
ip nat inside source static tcp 192.168.1.130 21 46.229.139.130 2100

With this approach, you can use the instructions in the previously-linked document to add port numbers for FTP processing.

---
Jody Lemoine, Network Architect
CCIE 41436, MTCRE, MTCINE, MTCIPv6E
tishco networks, Virtually Everywhere
(905) 378-1134, jody.lemoine@tishco.ca

Hi Jody

This doesn't allow you to translate to multiple inside hosts under most circumstances

Just for my information, isn't that what the "extendable" keyword is used for ie.where you want use the same local or global address for multiple translations ?

Jon

The extendable keyword allows you to create overlapping translations for multiple global addresses. According to the documentation, you may be able to accomplish what you're trying to do using the extendable keyword with different local addresses, but I've only ever seen it used with multiple global addresses and/or ports. I recommend giving it a try and seeing if it works. The lab never lies. :)

---
Jody Lemoine, Network Architect
CCIE 41436, MTCRE, MTCINE, MTCIPv6E
tishco networks, Virtually Everywhere
(905) 378-1134, jody.lemoine@tishco.ca

Hi Jon

There are any option to configure 2 FTP servers?

Here is initial config.

Hello! Just tested.

With that couple strings of code in the following order:

ip nat inside source static tcp 192.168.1.236 582 y.y.u.u 582 extendable
ip nat inside source static tcp 192.168.1.129 1129 y.y.u.u 1129 extendable

FTP  server 192.168.1.236 allow to log in and list directory but not able to download.

for FTP  server 192.168.1.129 not able to list directory.

Does It possible to solve some how that case?

You're missong the "ip nat service" command that we previously discussed. This is going to be necessary for the second server if you're using port-based translation.

if you can get a directory listing off of the first one, file transfers shouldn't be a problem. Is thre a difference in behaviour between uploads and downloads?

---
Jody Lemoine, Network Architect
CCIE 41436, MTCRE, MTCINE, MTCIPv6E
tishco networks, Virtually Everywhere
(905) 378-1134, jody.lemoine@tishco.ca

Hello Jody.

That's is great! Thank you! Just added couple "ip nat service" and now working!

Also I noticed one thing.. 2 FTP servers is NAS Synology and that FTP servers have been configured slightly different. Look at the screenshot. With checked box "Report external ip in PASV mode".

When FTP server with marked box it's doesn't work.

When FTP server with unchecked box it does work.

I've noticed that different and fixed it.

Very interesting in the reason of that difference.