Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Passive FTP through a CSS 11500

Hi all!

I'm having some real issues getting Passive FTP to work through my CSS - the setup is a fairly normal one: 2 VLANS (ext and internal); a content group with the application ftp setting and a group specifying the service to control NATing. Active FTP works just fine which, I'm led to believe is the more difficult of the two to get working. With Passive, I see the control connection setup, but when the client goes to connect to the high data port (which we have forced to a single port - 3000) all communication ceases and we see this in a capture:

FTP: Resp. to Port 1679, '227 Entering Passive Mode (172,21,30,248,11,184)'

43 17.812500 LOCAL 000ED792F60C TCP Control Bits: ....S., len: 0, seq:1220116563-1220116564, ack: 0, win:65535, src: 1680 dst: 3000

44 17.812500 000ED792F60C LOCAL ICMP Destination Unreachable: 172.21.30.248 (See frame 43) VS_VIP LONNS02 IP

Can anybody tell me for certain that Passive FTP can work with a CSS? Nothing I'v read states that catagorically. Can you point me in the right direction with how it might be configured as I'm thinking that I have a NAT issue somewhere...

Many Thanks

Oli

3 REPLIES
Cisco Employee

Re: Passive FTP through a CSS 11500

what version ?

Can we get the config with the content rule and the group.

Gilles.

New Member

Re: Passive FTP through a CSS 11500

Hi! Version is 07.50.1.03.

Here's my config:

!*************************** GLOBAL ***************************

no restrict web-mgmt

console authentication secondary local

virtual authentication secondary local

username admin des-password zc1h3hbfccbaqazdccyetchbnawcohag superuser

logging buffer 5000

ftp-record vsftp1 172.21.30.235 ftpuser des-password eagh1hidzbuhxhre

ftp-record vsftp2 172.21.30.236 ftpuser des-password eagh1hidzbuhxhre

ip route 0.0.0.0 0.0.0.0 172.21.30.254 1

ip route 172.21.30.0 255.255.255.0 172.21.30.254 1

!************************* INTERFACE *************************

interface e1

description "DMZ"

interface e2

description "LONVSWEB01"

interface e4

description "LONVSWEB02"

!************************** CIRCUIT **************************

circuit VLAN1

description "Webservers"

ip address 172.21.30.249 255.255.255.0

!************************** SERVICE **************************

service LONVSWEB01

ip address 172.21.30.235

keepalive type tcp

active

service LONVSWEB02

keepalive type tcp

ip address 172.21.30.236

active

service vsftp1

ip address 172.21.30.235

active

service vsftp2

ip address 172.21.30.236

active

!*************************** OWNER ***************************

owner VS_VIP

content VS_FTPSERVERS

vip address 172.21.30.250

protocol tcp

application ftp-control

add service vsftp2

add service vsftp1

active

content VS_SMTPSERVERS

protocol tcp

port 25

advanced-balance sticky-srcip

vip address 172.21.30.250

add service LONVSWEB01

add service LONVSWEB02

active

content VS_SSL_TCP443

protocol tcp

port 443

add service LONVSWEB02

vip address 172.21.30.250

advanced-balance sticky-srcip

add service LONVSWEB01

active

content VS_WEBSERVERS

protocol tcp

port 80

add service LONVSWEB02

vip address 172.21.30.250

advanced-balance sticky-srcip

add service LONVSWEB01

active

!*************************** GROUP ***************************

group vsftp

vip address 172.21.30.250

add destination service vsftp2

active

Cisco Employee

Re: Passive FTP through a CSS 11500

Could you replace the line " add destination service vsftp2 " with "add service vsftp2" and also add the same line for the 2nd service.

Let me know if it works.

If not, could you capture a sniffer trace on client and server to see what is going on.

Thanks,

Gilles.

513
Views
0
Helpful
3
Replies
CreatePlease login to create content