09-21-2010 04:25 AM
Hi everyone,
I have a problem with passive FTP with fixed port range.
I configured a ftp server with a fixed port range of 60000 - 60500 for the data channel.
And the ace is configured with "inspect ftp" on policy of ftp-serverfarm.
A tcpdump on server I can see that the server uses the portrange in response packet.
(x,x,x,x,34,195) = 60099
But on client I can see that the port on packet is change to another port. The ace is between server and client.
On CCO I found a document "http://www.ciscosystems.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/command/reference/policy.html#wp1006925" ->> Enables FTP inspection. The ACE inspects FTP packets, translates the address and the port that are embedded in the payload, and opens up a secondary channel for data.
I don't understand why the ace change the port in ftp payload.
Is it possible to create the same port range on ace configuration of connectio to client?
Thanks
René
Solved! Go to Solution.
09-21-2010 07:45 AM
You don't need inspect ftp with one server because you can avoid it.
You can for example configure a loopback on the server with the vip address and configure the serverfarm as transparent on ACE.
Then for the data channel, since your range of ports is quite small, you can catch it with a class-map and simply forward to the server.
Like this, the server will use the vip address in all packets exchange with the cleint (no need to nat the payload) and when the client opens a data connection, the traffic is matched with the class-map and the connection can be forwarded to the server using the same transparent serverfarm.
Less chance to run into compatibility issue.
Better performance since we can switch traffic with inspecting its content.
Gilles.
09-21-2010 04:47 AM
Assume a Client C opens 2 FTP connections with vip V.
Each connection is sent to a different server on the backend S1 and S2.
S1 tells C to open a data connection with port P.
S2 tells C to open a data connection with port P.
On the frontend, if ACE does not rewrite the port, client C will receive 2 messages to open a connection with V:P.
How do we know which server it belongs to ???
This is a loadbalancer, so we need to assume there are more than 1 server and that all servers can use the same port.
If you are using only 1 server, the config does not require ftp inspection.
Gilles.
09-21-2010 05:00 AM
Hello Gilles,
yes, you are right.
But why I don't need the inspect ftp for only on server.
I think the ftp payload must be translate in the VIP and the class-map/access-list must accept the dynamic data port?
René
09-21-2010 07:45 AM
You don't need inspect ftp with one server because you can avoid it.
You can for example configure a loopback on the server with the vip address and configure the serverfarm as transparent on ACE.
Then for the data channel, since your range of ports is quite small, you can catch it with a class-map and simply forward to the server.
Like this, the server will use the vip address in all packets exchange with the cleint (no need to nat the payload) and when the client opens a data connection, the traffic is matched with the class-map and the connection can be forwarded to the server using the same transparent serverfarm.
Less chance to run into compatibility issue.
Better performance since we can switch traffic with inspecting its content.
Gilles.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: