ACE FTP inspect with port range

Answered Question
Sep 21st, 2010

Hi everyone,

I have a problem with passive FTP with fixed port range.

I configured a ftp server with a fixed port range of 60000 - 60500 for the data channel.

And the ace is configured with "inspect ftp" on policy of ftp-serverfarm.

A tcpdump on server I can see that the server uses the portrange in response packet.

(x,x,x,x,34,195) = 60099

But on client I can see that the port on packet is change to another port. The ace is between server and client.

On CCO I found a document "http://www.ciscosystems.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/command/reference/policy.html#wp1006925" ->> Enables FTP inspection. The ACE inspects FTP packets, translates the address and the port that are embedded in the payload, and opens up a secondary channel for data.

I don't understand why the ace change the port in ftp payload.

Is it possible to  create the same port range on ace configuration of connectio to client?

Thanks

René

I have this problem too.
0 votes
Correct Answer by Gilles Dufour about 6 years 2 months ago

You don't need inspect ftp with one server because you can avoid it.

You can for example configure a loopback on the server with the vip address and configure the serverfarm as transparent on ACE.

Then for the data channel, since your range of ports is quite small, you can catch it with a class-map and simply forward to the server.

Like this, the server will use the vip address in all packets exchange with the cleint (no need to nat the payload) and when the client opens a data connection, the traffic is matched with the class-map and the connection can be forwarded to the server using the same transparent serverfarm.

Less chance to run into compatibility issue.

Better performance since we can switch traffic with inspecting its content.

Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Gilles Dufour Tue, 09/21/2010 - 04:47

Assume a Client C opens 2 FTP connections with vip V.

Each connection is sent to a different server on the backend S1 and S2.

S1 tells C to open a data connection with port P.

S2 tells C to open a data connection with port P.

On the frontend, if ACE does not rewrite the port, client C will receive 2 messages to open a connection with V:P.

How do we know which server it belongs to ???

This is a loadbalancer, so we need to assume there are more than 1 server and that all servers can use the same port.

If you are using only 1 server, the config does not require ftp inspection.

Gilles.

renekrueger Tue, 09/21/2010 - 05:00

Hello Gilles,

yes, you are right.

But why I don't need the inspect ftp for only on server.

I think the ftp payload must be translate in the VIP and the class-map/access-list must accept the dynamic data port?

René

Correct Answer
Gilles Dufour Tue, 09/21/2010 - 07:45

You don't need inspect ftp with one server because you can avoid it.

You can for example configure a loopback on the server with the vip address and configure the serverfarm as transparent on ACE.

Then for the data channel, since your range of ports is quite small, you can catch it with a class-map and simply forward to the server.

Like this, the server will use the vip address in all packets exchange with the cleint (no need to nat the payload) and when the client opens a data connection, the traffic is matched with the class-map and the connection can be forwarded to the server using the same transparent serverfarm.

Less chance to run into compatibility issue.

Better performance since we can switch traffic with inspecting its content.

Gilles.

Actions

This Discussion