I have a problem with passive FTP with fixed port range.
I configured a ftp server with a fixed port range of 60000 - 60500 for the data channel.
And the ace is configured with "inspect ftp" on policy of ftp-serverfarm.
A tcpdump on server I can see that the server uses the portrange in response packet.
(x,x,x,x,34,195) = 60099
But on client I can see that the port on packet is change to another port. The ace is between server and client.
On CCO I found a document "http://www.ciscosystems.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/command/reference/policy.html#wp1006925" ->> Enables FTP inspection. The ACE inspects FTP packets, translates the address and the port that are embedded in the payload, and opens up a secondary channel for data.
I don't understand why the ace change the port in ftp payload.
Is it possible to create the same port range on ace configuration of connectio to client?
You don't need inspect ftp with one server because you can avoid it.
You can for example configure a loopback on the server with the vip address and configure the serverfarm as transparent on ACE.
Then for the data channel, since your range of ports is quite small, you can catch it with a class-map and simply forward to the server.
Like this, the server will use the vip address in all packets exchange with the cleint (no need to nat the payload) and when the client opens a data connection, the traffic is matched with the class-map and the connection can be forwarded to the server using the same transparent serverfarm.
Less chance to run into compatibility issue.
Better performance since we can switch traffic with inspecting its content.