05-06-2008 09:38 PM
I have a CSS11501 that load balances traffic to 4 FTP servers.
2 of the 4 servers also initiate outbound FTP connections (Active mode) to other servers on the internet.
(When I talk about these 2 servers initiating a FTP session from behind a CSS I will refer them as 'client' to avoid confusion.)
Inbound FTP traffic to all the servers work fine. The outbound Active mode FTP traffic from the 2 client is failing (passive FTP works).
I have defined both the 'content rules' and 'groups' (source groups) for these connections.
But what I see on the PIX is this:
PIX515-active %PIX-4-406002: FTP port command different address: 10.1.1.15(10.1.1.16) to xx.xx.xx.70 on interface inside
I believe this dropped packet on the PIX is the acknowledgement 'ACK' packet from the client(sitting behind the CSS) to the connection attempt from the server (on the internet) for the 'data' connection. And basically the CSS is not translating the source address of the client from 10.1.1.16 -->10.1.1.15(VIP) for this acknowledgement 'ACK' packet.
Here is the relevant config:
For inbound FTP:
service ftp1
ip address 10.x.x.10
active
service ftp2
ip address 10.x.x.11
active
content ftp
application ftp-control
add service ftp1
add service ftp2
vip address 10.x.x.21
active
group ftp
add service ftp1
add service ftp2
vip address 10.x.x.21
active
For FTP servers that initiate FTP traffic and receive FTP request as well (i.e. inbound/outbound FTP)
service fftp1
ip address 10.x.x.16
active
service fftp01
ip address 10.x.x.17
active
content Fftp1 --> this does not have VIP but I tried adding a VIP same as the source group but to no avail.
application ftp-control
add service fftp1
protocol tcp
port 2021
add service fftp01
active
group fget
vip address 10.x.x.15
add service fftp1
add service fftp01
active
Inbound FTP works fine without any issues. Even outbound FTP (passive mode) works fine.
However active mode FTP fails and I see this error on the PIX:
PIX515-active %PIX-4-406002: FTP port command different address: 10.1.1.15(10.1.1.16) to xx.xx.xx.70 on interface inside
What am I missing here to get active mode connections to work with the CSS so that machines sitting behind the CSS can initiate active mode FTP connections? Do I need a content rule for the "data" connection as well???
05-08-2008 08:21 AM
For active FTP to work, the CSS need to inspect the FTP control connection and nat the PORT command.
The CSS is told to do ftp inspection when you configure the 'application ftp' command.
But for connections initiated by the servers, the traffic does not hit any rule and no inspection is to be done.
Therefore the CSS will only nat the ip header.
You could try to configure an ftp content rule with no vip address - to catch all ftp traffic and use a service pointing to your default gateway in transparent mode.
Then configure 'application ftp' to force ftp inspection.
It may work.
Haven't tested so.
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide