Intermittent FTP Troubles ?

Unanswered Question
Jan 10th, 2008

I seem to be having an issue with my FTP (passive FTP). The thing to note is that whenever the router is freshly rebooted that everything works fine. No timeouts, no FTP problems or anything. However as time wears on, we slowly start to get FTP connection issues. Hosts that were able to FTP yesterday are no longer able to FTP today.

I don't feel the issue is with the FTP server as the server is able to receive FTP's just fine from inside the network. It is just these inbound FTP connections from the internet which continue to have issues.

Here's my relevant NAT configs:

ip nat inside source static tcp 192.168.0.1 20 1.2.3.4 20 extendable

ip nat inside source static tcp 192.168.0.1 21 1.2.3.4 21 extendable

Anyone know of anything which would cause issues such as this? Any NAT parameters or other things which might need to be adjusted?

Thanks for your help,

B Jim

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
s.arunkumar Thu, 01/10/2008 - 21:23

Hi Jim,

In passive FTP server passively hear for both data and control signals.

The ftp server will give the ftp client a random port in that range > 1024 to connect to for data transmission.

and then your server would be accessed for data connection of FTP on those ports rather than 20(normally).

Check if this port is other than 20.

Also do u have any inbound filter like access-list etc.Check if those are blocking the port given by server that is provided for data connection..

arun

Danilo Dy Sat, 01/12/2008 - 13:37

Hi,

Before you reboot the router next, capture "show tech-support" output.

How passive (PASV) FTP mode:

command : client >1023 -> server 21

data : client >1023 -> server >1023

Regards,

Dandy

smitty6504 Sun, 01/13/2008 - 13:00

Are you using INSPECT FTP? We had an issue with our ASA with the INSPECT statement.

cisco24x7 Sun, 01/13/2008 - 14:03

This is what I do not understand. This

is 2008, not 1998. FTP should be banned.

It is not only un-secure, supporting it is a

nightmare due to the nature of the protocol

control and data ports, whatever.

The best solution is to use SecureFTP. sFTP

runs over ssh so there is only one port,

tcp port 22, to worry about. Easy to setup

and configure. In the /etc/ssh/sshd_config,

just enable it. Better yet, most Unix sshd

comes with sftp system enable by default.

sFTP is so easy to maintain and support,

and secure especially with AES256-cbc with

SHA-1 configuration.

my 2c

Actions

This Discussion