Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
909
Views
0
Helpful
2
Replies

Doing proper NAT to FTP connections on non-standard port

arshir
Level 1
Level 1

‎11-05-2004 07:03 AM - edited ‎03-02-2019 07:46 PM

Router 1712, IOS 12.3

There is an article from Cisco, "Using Non-Standard FTP Port Numbers with NAT".

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e76.shtml

It explains how to enable NATting router to perform proper translation of NAT-sensitive protocols, in this case FTP.

The article assumes that the FTP server in question is on the inside interface of the router.

The configuration proposed by the article is as follows:

interface Ethernet0

ip address 10.1.1.2 255.255.255.0

ip nat inside

!

interface Serial0

ip address 192.168.10.1 255.255.255.252

ip nat outside

!

ip nat service list 10 ftp tcp port 2021

ip nat inside source static 10.1.1.1 20.20.20.1

!

access-list 10 permit 10.1.1.1

In my case, the FTP server in question is on the outside interface. The router is performing source NAT for outbound connections. An example of my config is below:

interface Ethernet0

ip address 12.34.56.1 255.255.255.0

ip nat outside

!

interface Vlan324

ip address 10.1.1.2 255.255.255.0

ip nat inside

!

ip nat service list 10 ftp tcp port 2021

ip nat inside source static 10.1.1.100 12.34.56.100

!

access-list 10 permit 12.34.56.200

With this configuration, Layer 3 NAT is working. I'm able to establish an FTP control channel and issue FTP commands. However, I think that the IP addresses inside FTP control channel are not translated properly (to 12.34.56.100). Therefore, the FTP data channel is not working.

I tried to enable the following debug, however didn't see any entries related to FTP control channel translation:

debug ip nat

debug ip nat detailed

debug ip snat

debug ip snat detailed

debug ip ftp

debug ftpserver

My question is:

Is the "ip nat service list <acl> ftp tcp <port>" command supposed to work when the FTP server in question is on the outside interface of the translating router ?

Labels:
0 Helpful
2 Replies 2

simon.allen
Level 1
Level 1

‎02-08-2012 07:55 AM

Hi,

I see that this question was asked quite some time ago but I have come across the same issue, i.e when the server is on the outside interface the ip in the "PORT" command from the client is not translated.

Did you ever get a fix for it?

Thanks

0 Helpful

stanislavkuchuk
Level 1
Level 1

‎02-14-2012 08:18 PM

I'm trying to solve the same problem.

Is anyone who did that?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents