ACE Source NAT + inspect ftp

Unanswered Question
Oct 31st, 2008

Since upgrading to the A2 code from the 1.6.3 code you must apply inspect ftp on a layer 3 class.

This has broken my outbound NAT when using FTP, and I'm wondering what the workaround is. In A2, all of the 'inspect ftp' statemens below are invalid. But I also don't know how I would be able to match the servers on a layer 3 basis to get the inspect ftp command to accept inside the class??

Right now I'm stuck on 1.6.3, which has a serious bug that warrants upgrading, but I'm not sure how to get FTP inspection inside my NAT classes.

policy-map multi-match NAT-Policy

class DST-NAT-internal

nat dynamic 500 vlan 410

class DST-NAT-accuratenxg

nat dynamic 131 vlan 310

class DST-NAT-accurate1

nat dynamic 21 vlan 310

class DST-NAT-margin1p

nat dynamic 22 vlan 310

class DST-NAT-nuflowdb1p

nat dynamic 23 vlan 310

class DST-NAT-nuflowsch1

nat dynamic 24 vlan 310

class DST-NAT-nuflowweb

nat dynamic 25 vlan 310

class DST-NAT-reconapp1

nat dynamic 26 vlan 310

class DST-NAT-recondb1p

nat dynamic 27 vlan 310

class DST-NAT-clrdb1p

class DST-NAT-bsatech-ftp

nat dynamic 28 vlan 310

inspect ftp

class DST-NAT-bsatech

nat dynamic 28 vlan 310

class DST-NAT-bsaclearing-ftp

nat dynamic 30 vlan 310

inspect ftp

class DST-NAT-bsaclearing

nat dynamic 30 vlan 310

class DST-NAT-gloss1

nat dynamic 32 vlan 310

connection advanced-options TCP_Timeout_Sybase

class SRC-NAT-bpsadv1p

nat dynamic 33 vlan 310

class SRC-NAT-jedi1p

nat dynamic 34 vlan 310

inspect ftp

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Tue, 11/04/2008 - 05:51

you should only apply the inspect ftp command to a class-map that matches x.x.x.x:21.

Do not apply it to anything else.

Make sure to run version A2(1.2)

CSCsr46740: FTP Inspect failing to fixup IP address in FTP PORT request


acennami Tue, 11/04/2008 - 06:38

OK, but how do I apply that on the outbound NAT, which is matched against a Layer 3 ACL?

(I also noted I could not create Layer 4 ACLs after upgrading)

Gilles Dufour Tue, 11/04/2008 - 06:45

You only need to inspect the control channel (normally port 21) on inbound.

Inspection should detect all your nating (inbound and outbound) and do the rest correctly.

It was broken in A2(1.0) and was fixed in A2(1.2).



This Discussion