01-10-2008 06:32 PM - edited 03-03-2019 08:13 PM
I seem to be having an issue with my FTP (passive FTP). The thing to note is that whenever the router is freshly rebooted that everything works fine. No timeouts, no FTP problems or anything. However as time wears on, we slowly start to get FTP connection issues. Hosts that were able to FTP yesterday are no longer able to FTP today.
I don't feel the issue is with the FTP server as the server is able to receive FTP's just fine from inside the network. It is just these inbound FTP connections from the internet which continue to have issues.
Here's my relevant NAT configs:
ip nat inside source static tcp 192.168.0.1 20 1.2.3.4 20 extendable
ip nat inside source static tcp 192.168.0.1 21 1.2.3.4 21 extendable
Anyone know of anything which would cause issues such as this? Any NAT parameters or other things which might need to be adjusted?
Thanks for your help,
B Jim
01-10-2008 09:23 PM
Hi Jim,
In passive FTP server passively hear for both data and control signals.
The ftp server will give the ftp client a random port in that range > 1024 to connect to for data transmission.
and then your server would be accessed for data connection of FTP on those ports rather than 20(normally).
Check if this port is other than 20.
Also do u have any inbound filter like access-list etc.Check if those are blocking the port given by server that is provided for data connection..
arun
01-12-2008 01:37 PM
Hi,
Before you reboot the router next, capture "show tech-support" output.
How passive (PASV) FTP mode:
command : client >1023 -> server 21
data : client >1023 -> server >1023
Regards,
Dandy
01-13-2008 01:00 PM
Are you using INSPECT FTP? We had an issue with our ASA with the INSPECT statement.
01-13-2008 02:03 PM
This is what I do not understand. This
is 2008, not 1998. FTP should be banned.
It is not only un-secure, supporting it is a
nightmare due to the nature of the protocol
control and data ports, whatever.
The best solution is to use SecureFTP. sFTP
runs over ssh so there is only one port,
tcp port 22, to worry about. Easy to setup
and configure. In the /etc/ssh/sshd_config,
just enable it. Better yet, most Unix sshd
comes with sftp system enable by default.
sFTP is so easy to maintain and support,
and secure especially with AES256-cbc with
SHA-1 configuration.
my 2c
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide