Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ACE - FTP inspection with NAT

I need assistance getting FTP inspection to work with NAT.

NAT is working, but not with FTP inspection.  When
the client issues the PASV command, the server reply contains the original (not nat'd) IP
address.  For example this is what the client sees:

-> PASV
<- 227 Entering Passive Mode (192,168,200,114,7,175)
192.168.200.114 is the server's real IP.  I want it to show the NAT'd IP which is
10.16.20.114.
=== RELEVANT CONFIG ===

access-list NAT line 10 extended permit ip 192.168.200.0 255.255.255.0 any

class-map match-any NAT_CLASS

  3 match access-list NAT

class-map match-any FTP_TRAFFIC

  2 match port tcp eq ftp

policy-map multi-match multimatch_dmz.pm

  class NAT_CLASS

    nat static 10.16.22.0 netmask 255.255.255.0 vlan 100

  class FTP_TRAFFIC

    inspect ftp

interface vlan 36

  ip address 192.168.200.2 255.255.255.0

  alias 192.168.200.1 255.255.255.0

  peer ip address 192.168.200.3 255.255.255.0

  service-policy input management_vl36

  service-policy input multimatch_dmz.pm

  no shutdown

=== END ===


Everyone's tags (4)
1 REPLY
New Member

Cisco ACE - FTP inspection with NAT

I was able to find the solution.  I was not applying 'inspect ftp' to the correct interface.  FTP inspection needs to be applied on the interface facing the ftp client.  Which in my case is interface vlan 100 (not shown above).  I was mistakenly applying it on the interface facing the FTP server.

764
Views
0
Helpful
1
Replies