Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
753
Views
4
Helpful
1
Replies

Cisco CSS not NATing FTP 'data' connection

smhussain
Level 1
Level 1

‎05-06-2008 09:38 PM

I have a CSS11501 that load balances traffic to 4 FTP servers.

2 of the 4 servers also initiate outbound FTP connections (Active mode) to other servers on the internet.

(When I talk about these 2 servers initiating a FTP session from behind a CSS I will refer them as 'client' to avoid confusion.)

Inbound FTP traffic to all the servers work fine. The outbound Active mode FTP traffic from the 2 client is failing (passive FTP works).

I have defined both the 'content rules' and 'groups' (source groups) for these connections.

But what I see on the PIX is this:

PIX515-active %PIX-4-406002: FTP port command different address: 10.1.1.15(10.1.1.16) to xx.xx.xx.70 on interface inside

I believe this dropped packet on the PIX is the acknowledgement 'ACK' packet from the client(sitting behind the CSS) to the connection attempt from the server (on the internet) for the 'data' connection. And basically the CSS is not translating the source address of the client from 10.1.1.16 -->10.1.1.15(VIP) for this acknowledgement 'ACK' packet.

Here is the relevant config:

For inbound FTP:

service ftp1

ip address 10.x.x.10

active

service ftp2

ip address 10.x.x.11

active

content ftp

application ftp-control

add service ftp1

add service ftp2

vip address 10.x.x.21

active

group ftp

add service ftp1

add service ftp2

vip address 10.x.x.21

active

For FTP servers that initiate FTP traffic and receive FTP request as well (i.e. inbound/outbound FTP)

service fftp1

ip address 10.x.x.16

active

service fftp01

ip address 10.x.x.17

active

content Fftp1 --> this does not have VIP but I tried adding a VIP same as the source group but to no avail.

application ftp-control

add service fftp1

protocol tcp

port 2021

add service fftp01

active

group fget

vip address 10.x.x.15

add service fftp1

add service fftp01

active

Inbound FTP works fine without any issues. Even outbound FTP (passive mode) works fine.

However active mode FTP fails and I see this error on the PIX:

PIX515-active %PIX-4-406002: FTP port command different address: 10.1.1.15(10.1.1.16) to xx.xx.xx.70 on interface inside

What am I missing here to get active mode connections to work with the CSS so that machines sitting behind the CSS can initiate active mode FTP connections? Do I need a content rule for the "data" connection as well???

Labels:
0 Helpful
1 Reply 1

Gilles Dufour
Cisco Employee
Cisco Employee

‎05-08-2008 08:21 AM

For active FTP to work, the CSS need to inspect the FTP control connection and nat the PORT command.

The CSS is told to do ftp inspection when you configure the 'application ftp' command.

But for connections initiated by the servers, the traffic does not hit any rule and no inspection is to be done.

Therefore the CSS will only nat the ip header.

You could try to configure an ftp content rule with no vip address - to catch all ftp traffic and use a service pointing to your default gateway in transparent mode.

Then configure 'application ftp' to force ftp inspection.

It may work.

Haven't tested so.

Gilles.

Customers Also Viewed These Support Documents