NAT and FTP problem

Unanswered Question
Jan 28th, 2008

I have a NATed client trying to FTP to a server on the Internet. The server is blocking the FTP connection becuase it sees the private address of my client. Is there a setting on the firewall to prevent this from happening?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ajagadee Mon, 01/28/2008 - 09:39

What is the NATing device. Is this a Pix/ASA Firewall or router. If this is a Pix/ASA, do you have Fixup configured. Can you post your configuration along with details on what is the ip address of the FTP Client and FTP Server.



** Please rate all helpful posts **

randyclark Mon, 01/28/2008 - 10:39

The NATing device is an ASA 5520. The client is being NATed. I'm not sure about the server.

srue Mon, 01/28/2008 - 11:17

make sure you have ftp inspection enabled in your global policy.

inspect ftp

if that doesn't work, please post what happens when you ftp to this server and exactly how it 'fails'.

cisco24x7 Mon, 01/28/2008 - 11:24

As a test, on the ASA do this:

fixup ftp protocol 21

nat (inside) 1 0 0

global (outside) 1 interface

access-list test permit ip any any log

access-group test in interface inside

access-group test in interface outside

Now from a host inside the ASA, perform

a ftp connection. I have an ftp server

on the Intenet. If you give me your public

IP address, I can add it to my checkpoint

security policy so that you can test connecting to it.

CCIE Security

randyclark Mon, 01/28/2008 - 13:14

This is what is happening on the client side. It's not using the standard port 21 but port 1021.

connecting to




Host type (S):UNIX (standard)


227 Entering Passive Mode(149,149,15,100,59,23)

connecting to


!Conntection failed refused

!connect error 0

PORT 172,20,46,74,7,132

500| I won't open a connection to to

!Failed "port"

cisco24x7 Mon, 01/28/2008 - 14:28

fixup protocol ftp 1021

As a security person, I am very suprised that

people still use FTP these days. Not only

the protocol is insecure, you will run into

issues like this.

I noticed that ftp server box is a Unix box.

If that is the case, why not use SecureFTP

(sFTP). sFTP is a component of sshd daemon

which is very secure. You can configure

it to run at AES256-cbc with sha-1 and allow

ssh outbound access. Everything will be ok

after that.

This is 2008, not 1998. FTP and TFTP should

be banned due to its inherent weak security by nature. TFTP should be replaced by Secure

Copy (scp).

CCIE Security

randyclark Wed, 01/30/2008 - 05:49

I don't know why they are still using FTP. It's another college who has the FTP server. Maybe they fear change. I'll try the fixup ftp 1021 command and post the results.

Inspect is the new command on the ASA for fixup correct?


This Discussion