Doing proper NAT to FTP connections on non-standard port

Unanswered Question
Nov 5th, 2004

Router 1712, IOS 12.3

There is an article from Cisco, "Using Non-Standard FTP Port Numbers with NAT".

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e76.shtml

It explains how to enable NATting router to perform proper translation of NAT-sensitive protocols, in this case FTP.

The article assumes that the FTP server in question is on the inside interface of the router.

The configuration proposed by the article is as follows:

interface Ethernet0

ip address 10.1.1.2 255.255.255.0

ip nat inside

!

interface Serial0

ip address 192.168.10.1 255.255.255.252

ip nat outside

!

ip nat service list 10 ftp tcp port 2021

ip nat inside source static 10.1.1.1 20.20.20.1

!

access-list 10 permit 10.1.1.1

In my case, the FTP server in question is on the outside interface. The router is performing source NAT for outbound connections. An example of my config is below:

interface Ethernet0

ip address 12.34.56.1 255.255.255.0

ip nat outside

!

interface Vlan324

ip address 10.1.1.2 255.255.255.0

ip nat inside

!

ip nat service list 10 ftp tcp port 2021

ip nat inside source static 10.1.1.100 12.34.56.100

!

access-list 10 permit 12.34.56.200

With this configuration, Layer 3 NAT is working. I'm able to establish an FTP control channel and issue FTP commands. However, I think that the IP addresses inside FTP control channel are not translated properly (to 12.34.56.100). Therefore, the FTP data channel is not working.

I tried to enable the following debug, however didn't see any entries related to FTP control channel translation:

debug ip nat

debug ip nat detailed

debug ip snat

debug ip snat detailed

debug ip ftp

debug ftpserver

My question is:

Is the "ip nat service list <acl> ftp tcp <port>" command supposed to work when the FTP server in question is on the outside interface of the translating router ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
simon.allen Wed, 02/08/2012 - 07:55

Hi,

I see that this question was asked quite some time ago but I have come across the same issue, i.e when the server is on the outside interface the ip in the "PORT" command from the client is not translated.

Did you ever get a fix for it?

Thanks

Actions

Login or Register to take actions

This Discussion

Posted November 5, 2004 at 7:03 AM
Stats:
Replies:2 Avg. Rating:
Views:559 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 2,069
2 1,736
3 1,675
4 1,624
5 1,529