Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5122
Views
3
Helpful
7
Replies

Fwsm

randyg
Level 1
Level 1

‎09-01-2009 12:38 PM

I am trying to get ftps working in active mode on my network and I cant seem to find any information on how to do port forwarding, or how to give my inside clients (natted) access to and external ftps server in active mode. The only info I can find is how to do a static nat, but I would rather not if I dont have to. I apologize if I have posted this in the wrong place.

Labels:
0 Helpful
7 Replies 7

goldbergj
Level 1
Level 1

‎09-02-2009 07:45 AM

hi randy, the only way you can do this, without giving your FTP server a public IP, is to setup NAT.  If you dont want to waste an entire public IP, you can do PAT (port address translation) and just forward ftp and ftp-data ports into the internal address of the server.  You will also need to add those ports the access-list applied on the outside interface to allow the traffic into the "lobby" so to speak, before its forwarded.

Hope this helps,

JG

randyg
Level 1
Level 1
In response to goldbergj

‎09-02-2009 10:36 AM

Thanks for the reply, however the ftp server is not part of my network it is on the internet and the client are natted behind the fwsm, passive mode works to other ftp servers but I cannot get active mode to work.

0 Helpful

Jean-Christophe Sicard
Level 1
Level 1
In response to randyg

‎09-03-2009 10:43 AM

You won't be able to get FTPS working in active mode without opening and/or static natting as the inspect ftp engine can't read the PORT commands (ssl encrypted) and thus can't open the temporary states for the data connection...

randyg
Level 1
Level 1
In response to Jean-Christophe Sicard

‎09-08-2009 07:56 AM

Do you know of an easy way to do this for my whole network with approx. 20-30 different vlan subnets, do I just need an access-list, could you maybe post an example config for me.

0 Helpful

Jean-Christophe Sicard
Level 1
Level 1
In response to randyg

‎09-08-2009 08:50 AM

You're pretty much stuck with the same problem as active FTP was before the ftp fixup / inspect was availible...

If you NAT your networks (to a single address) to go out on the internet, you can only do a static to one host, thus only one pc will be able to do active ftp(s)...

You best chance is to convince whoever hosts the remote FTPS server to allow/configure passive FTPS and for you to open all high-order ports (1024-65535) towards their FTPS server.

This shifts the burden of opening ports on their end (which is usually more acceptable/managable on the server's side).

randyg
Level 1
Level 1
In response to Jean-Christophe Sicard

‎09-08-2009 12:57 PM

Thanks to all who answered, I kinda thought this but because no one ever trusts their own network guy, I thought I would pose the question here, thanks again..

0 Helpful

Laura Douglas
Level 6
Level 6
In response to randyg

‎10-07-2009 07:18 PM

Thanks for the active conversation!  Great to see folks helping each other.  Am moving to another part of the community so more can see and benefit.

Laura Douglas

Collaboration Community Manager

0 Helpful
Customers Also Viewed These Support Documents